Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Guest access control

Hy there,

I've set up a gest SSID using WLC 4400. Everything works as expected, but my costumer requested to block access to this SSID to corporate laptops.

I guess it could only be done by MAC Address filtering, but this is not a very good solution because:

- WLC works with a permit MAC policy (can one create a deny MAC policy so I can list and deny all the corporate MACs under the Guest SSID?);

- If I apply a MAC list to the Guest SSID the only the allowed MAC will be able to see the Web Authentication page (that has been set up with instructions to call our Service Desk for the creation of a valid account).

Are there any other solutions? I also thought that maybe if there is an Active Directory rule to block an SSID, but I haven't checked it out yet. I guess this should only work if every corporate computer uses the Windows Wireless Services but I'm not sure.

Any other ideas?

Regards,

Tiago Molinos

9 REPLIES
Hall of Fame Super Silver

Re: Guest access control

How are your guest accessing the guest network? Is it just open and that is why internal users can just add the ssid and hop on the guest network? You can always use GPO to define the wireless profiles on a domain computer.

-Scott
*** Please rate helpful posts ***
New Member

Re: Guest access control

Hy!

Guests access the network via Web authentication. In my point of view with use of time limited guest accounts its fairly secured, but the costumer just asked for this feature.

I'll try to propose AD Group Policies to them.

Thanks,

Tiago Molinos

Hall of Fame Super Silver

Re: Guest access control

You don't want to create guest users on AD. Keep the accounst on the WLC. What you can do is create dummy radius servers and add that to the wlan ssid list. The WLC checks the local db then the radius servers and that is why internal users can use their ad credentials to access the guest. So you will need to add 3 dummy radius servers and add all three to the radius list on the wlan. It is a workaround, but that is they only way so far you can limit the webauth to guest users.

-Scott
*** Please rate helpful posts ***
New Member

Re: Guest access control

It's possible to deploy a GPO to deny access to some SSID

http://technet.microsoft.com/en-us/magazine/cc162468.aspx

With a deny list, you can specify by name the set of wireless networks to which the wireless client is not allowed to connect.

New Member

Re: Guest access control

Hi!

I think this good solution will only work with Windows Vista clients right? If so it's not a good one for me as almost 90% of clients are XP based...

Regards,

Tiago Molinos

New Member

Re: Guest access control

The policy can be applied to XP clients but the AD must be running on Windows 2003

New Member

Re: Guest access control

That's great news! Do you have a link for a guide on how to get this to work?

New Member

Re: Guest access control

I've been looking everywhere to find a way to make this work in Windows XP, but I can't seem to find anything. Anyway the customer still has lots of wireless clients using Win2K... So this is not the solution... Any sugestions? I've read something in respect to NAC and a client for improving security that as to be installed in every laptop that could work... Any experience with this type of solution?

New Member

Re: Guest access control

227
Views
10
Helpful
9
Replies
CreatePlease to create content