How can I prevent clients on our network from being attached to both wireless and wired connection to our network. Both the wireless network and the wired network are unique to each other. Clients that are atached to both are killing our internet connection at the border.
I know AnyConnect can prevent using both at the same time. Also Intel ProSet and or Access Connections I believe can do that also.
Sent from my iPhone
Piggy backing on Scott,
you can also push login scripts that set will detect the wireless connection and subnet, and force the wireless route to be a higher weight than the wired route.
if you truly need to have zero wireless connectivity when the user is wired, then you would need Anyconnect, or some other supplicant that allows you to disabl wireless when wired.
Thank you both for your replies. Let me add a little more detail. The client machines are not owned by the institution. I have seen all flavors of operating systems. We have aproximately 60% Windows based clients, 35% are Macs and the remainder are Linux based clients that I need to prevent from being on both networks at the same time. Anyconnect looks like Windows only (unless I'm looking in the wrong place). We have tried educating the clients. If I get a nickle for everytime I hear "I forgot" I could retire. Somehow I need to take control.
heh, if I had that nickel I could retire as well!
there is an Anyconnect for Mac as well, so it would be possible if the machines were under your administrative control.
So it sounds like this would be a BYOD network then, which does make it a bit more difficult. what are you using for authenticaiton? is it just a PSK network? if you are using 802.1x you might be able to use ISE to profile the connection coming from the wireless connection, and deny that connectivity if there is a user coming in on the wire at the same time.
you could also put in a webauth page. This won't stop the user from getting on the wireless, but it will stop them from passing traffic untill they have authenticated/accepted the T&C.
Welcome to CSC, I notice its your first post ..
So I will add my 2 cents.
DELL and HP allows you turn off the wireless NIC when a wired conenction is detected in the BIOS. But most wireless supplicants allow this configuration as well. For example, Intel calles it "adpater switching". I did a blog post on this subject some time ago.
Anyconnect for MAC is VPN only. Apple doesnt allow control of the WiFi on Apple devices.
You pose a interesting callenge ... Let me think about this one ... But ISE could be a fix, but its expensive offering to do just want you want it to .
Are you worried about dhcp leases? because for example, windows... it will only use one path either the Ethernet or the wireless, usually the Ethernet. On MAC's, you setup an order to the priority you want to use.. either wired or wireless, it will not use both unless your running VM, Parallels or something like those.
Yes this is definately a BYOD issue. Let me further complicate or clarify a bit more. Fist this is a 100% Cisco infrastructure (access points, WCS and switches). Campus wide wireless requires the client to authenticate using active directory credentials. The wired ports are in our residence halls. Our students roam the campus all day on wireless. They go back to thier rooms late afternoon/evening and for whatever reason they plug into the wall port. All residence halls have full wireless coverage so I'm not sure what is motivating them to plug in. On the wired ports was are still using an old Linux based "NetReg" system that requires the user register once a semester using thier active directory account. This registration system allows us to match a MAC address with active directory credentials. I have been hoping Cisco'c new NCS will give me additional options down this path.
Bottom line this situation is creating too many "child processes" on our packet shaping appliance (non Cisco device). The manufacture of this device is of course blaming everything but his own device but at the end of the conversation says the child process limit was lifted on his next generation appliance. I don't have the tens of thousands of dollars left over in this years budget to replace it. In addition replacing this device does not address the security issues associated with bridging two networks like this.
One side effect I ran into last week due to this issue was a wired only client recieved an IP address for the wireless network. Once I located the person that was double homed on that same switch the issue went away.
Thanks for all the input.