Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

CSA 5.2.0.225 and Wireless

Does anyone know if it is possible to stop users from connecting to wireless networks while connected from the ethernet adapter? I did create a policy and used the Rule Module included in CSA (Prevent Wireless if Ethernet Active) and it allows me to connect to wireless networks.

Any info would be greatly appreciated.

1 ACCEPTED SOLUTION

Accepted Solutions
Blue

Re: CSA 5.2.0.225 and Wireless

I think they create them so they are there if needed and you don't have to create them from scratch.

You could associate the existing rule module with a new Wireless Connection policy and attach that to your groups.

Whether you clone and modify copies or modify the original is a personal preference.

It should work either way and there are folks who prefer one over the other for various reasons.

Tom

7 REPLIES
Blue

Re: CSA 5.2.0.225 and Wireless

I did in 5.2.210.

I used the Ethernet active with DNS suffix matching System State and the $Wi-fi [V5.2 r210].

It worked as expected.

Tom

New Member

Re: CSA 5.2.0.225 and Wireless

Yea the module still allows you to connect to the wireless network but does not allow traffic.

You could always look at blocking DHCP on wireless so you don't get an address.

Also, if you are using a managment application for the wireless interface you could always try blocking that from executing so the wireless connection does not establish. That is in theory but it should work.

New Member

Re: CSA 5.2.0.225 and Wireless

So being that the rule module is in place without a policy, is it best that the rule be copied and then used. I guess i really dont understand why they have rule modules but do not associate it with a policy out of the box.

Thanks!

Blue

Re: CSA 5.2.0.225 and Wireless

I think they create them so they are there if needed and you don't have to create them from scratch.

You could associate the existing rule module with a new Wireless Connection policy and attach that to your groups.

Whether you clone and modify copies or modify the original is a personal preference.

It should work either way and there are folks who prefer one over the other for various reasons.

Tom

New Member

Re: CSA 5.2.0.225 and Wireless

The Network Access Control rule is not performing the way i'd like. I would like for the rule with a system state of "Ethernet" is active to disable the wireless adapter from getting an IP address and or connecting to the AP. I dont want the brige my protected network with an unprotected one. I added the network service UDP/TCP along with the 192 ip range but has not corrected my issue.

Thanks,

Blue

Re: CSA 5.2.0.225 and Wireless

As Bradley mentioned, it does connect and get an address but does not allow traffic.

It wasn't designed to disable the adapter or DHCP, just deny access through the adapter.

There may be other things you can do to lock it down further but I think it is doing what you need it to.

Tom

New Member

Re: CSA 5.2.0.225 and Wireless

Has anyone managed to get the CSA to disable the WLAN adapter if an ethernet connection is detected?

Although the CSA is ensuring that wired/wireless networks aren't bridged, it would be ideal if it could disable the adapter before it connected to a WLAN network instead of simply blocking traffic.

176
Views
9
Helpful
7
Replies
CreatePlease to create content