Re: Guest access control

tiago.molinos · ‎07-28-2008

Hy there,

I've set up a gest SSID using WLC 4400. Everything works as expected, but my costumer requested to block access to this SSID to corporate laptops.

I guess it could only be done by MAC Address filtering, but this is not a very good solution because:

- WLC works with a permit MAC policy (can one create a deny MAC policy so I can list and deny all the corporate MACs under the Guest SSID?);

- If I apply a MAC list to the Guest SSID the only the allowed MAC will be able to see the Web Authentication page (that has been set up with instructions to call our Service Desk for the creation of a valid account).

Are there any other solutions? I also thought that maybe if there is an Active Directory rule to block an SSID, but I haven't checked it out yet. I guess this should only work if every corporate computer uses the Windows Wireless Services but I'm not sure.

Any other ideas?

Regards,

Tiago Molinos

Scott Fella · ‎08-01-2008

How are your guest accessing the guest network? Is it just open and that is why internal users can just add the ssid and hop on the guest network? You can always use GPO to define the wireless profiles on a domain computer.

-Scott
*** Please rate helpful posts ***

tiago.molinos · ‎08-01-2008

Hy!

Guests access the network via Web authentication. In my point of view with use of time limited guest accounts its fairly secured, but the costumer just asked for this feature.

I'll try to propose AD Group Policies to them.

Thanks,

Tiago Molinos

Scott Fella · ‎08-01-2008

You don't want to create guest users on AD. Keep the accounst on the WLC. What you can do is create dummy radius servers and add that to the wlan ssid list. The WLC checks the local db then the radius servers and that is why internal users can use their ad credentials to access the guest. So you will need to add 3 dummy radius servers and add all three to the radius list on the wlan. It is a workaround, but that is they only way so far you can limit the webauth to guest users.

-Scott
*** Please rate helpful posts ***

olivier.nicolas · ‎08-04-2008

It's possible to deploy a GPO to deny access to some SSID

http://technet.microsoft.com/en-us/magazine/cc162468.aspx

With a deny list, you can specify by name the set of wireless networks to which the wireless client is not allowed to connect.

tiago.molinos · ‎08-05-2008

Hi!

I think this good solution will only work with Windows Vista clients right? If so it's not a good one for me as almost 90% of clients are XP based...

Regards,

Tiago Molinos

olivier.nicolas · ‎08-05-2008

The policy can be applied to XP clients but the AD must be running on Windows 2003

tiago.molinos · ‎08-05-2008

That's great news! Do you have a link for a guide on how to get this to work?

tiago.molinos · ‎09-17-2008

I've been looking everywhere to find a way to make this work in Windows XP, but I can't seem to find anything. Anyway the customer still has lots of wireless clients using Win2K... So this is not the solution... Any sugestions? I've read something in respect to NAC and a client for improving security that as to be installed in every laptop that could work... Any experience with this type of solution?

grzegorz.ciolek · ‎09-17-2008

Hi

Maybe try CSA:

http://www.cisco.com/application/pdf/en/us/guest/netsol/ns386/c649/ccmigration_09186a00808753b3.pdf

You can define plenty rules

Cheers

Greg