Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
777
Views
0
Helpful
4
Replies

Prevent Wireless 802.1x clients connecting to all Wireless Networks

Go to solution
CB90021204
Level 1
Level 1

‎11-03-2013 04:52 PM - edited ‎07-04-2021 01:12 AM

Hi,

I would like to have user based certificate authentication for my wireless networks.  We have a wireless network for corporate laptops and one for mobile devices like iPads/Phones.  I don't want corporate devices to be able to connect to the mobile wireless network and vice versa.

The problem I'm facing is once I implement user based certificate authentication, both iPads and corporate laptops can connect to both mobile and corporate wireless networks.  Is there a way to restrict mobile devices from connecting to corporate wireless networks and corporate laptops from connecting to mobile device wireless networks? 

Thanks   

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Scott Fella
Hall of Fame
Hall of Fame
In response to CB90021204

‎11-03-2013 06:05 PM

What you would do is for the domain machines use machine authentication and the mobile either PEAP or EAP-TLS. The domain machines can also use ESP-TLS if you want. Then you would have two policies on ACS and you would use the called station id attribute to distinguish between the SSID's. Your AD group would need to be different. That is why machine authentication can use the computer group and the mobile can use PEAP or EAP-TLS. If your ssid was Domain and Mobile,then you would add to your policy a called-station-id with a value of *.Domain for the domain computers and *.Mobile for mobile devices.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

View solution in original post

0 Helpful
4 Replies 4

Go to solution
CB90021204
Level 1
Level 1

‎11-03-2013 05:11 PM

Bit more information. I'm using Cisco ACS and don't currently have ISE.

0 Helpful

Go to solution
Scott Fella
Hall of Fame
Hall of Fame
In response to CB90021204

‎11-03-2013 06:05 PM

What you would do is for the domain machines use machine authentication and the mobile either PEAP or EAP-TLS. The domain machines can also use ESP-TLS if you want. Then you would have two policies on ACS and you would use the called station id attribute to distinguish between the SSID's. Your AD group would need to be different. That is why machine authentication can use the computer group and the mobile can use PEAP or EAP-TLS. If your ssid was Domain and Mobile,then you would add to your policy a called-station-id with a value of *.Domain for the domain computers and *.Mobile for mobile devices.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
0 Helpful

Go to solution
CB90021204
Level 1
Level 1
In response to Scott Fella

‎11-03-2013 08:03 PM

Thanks Scott

0 Helpful

Go to solution
Scott Fella
Hall of Fame
Hall of Fame
In response to CB90021204

‎11-04-2013 05:13 AM

No problem.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card