I've set up a gest SSID using WLC 4400. Everything works as expected, but my costumer requested to block access to this SSID to corporate laptops.
I guess it could only be done by MAC Address filtering, but this is not a very good solution because:
- WLC works with a permit MAC policy (can one create a deny MAC policy so I can list and deny all the corporate MACs under the Guest SSID?);
- If I apply a MAC list to the Guest SSID the only the allowed MAC will be able to see the Web Authentication page (that has been set up with instructions to call our Service Desk for the creation of a valid account).
Are there any other solutions? I also thought that maybe if there is an Active Directory rule to block an SSID, but I haven't checked it out yet. I guess this should only work if every corporate computer uses the Windows Wireless Services but I'm not sure.
Any other ideas?
How are your guest accessing the guest network? Is it just open and that is why internal users can just add the ssid and hop on the guest network? You can always use GPO to define the wireless profiles on a domain computer.
Guests access the network via Web authentication. In my point of view with use of time limited guest accounts its fairly secured, but the costumer just asked for this feature.
I'll try to propose AD Group Policies to them.
You don't want to create guest users on AD. Keep the accounst on the WLC. What you can do is create dummy radius servers and add that to the wlan ssid list. The WLC checks the local db then the radius servers and that is why internal users can use their ad credentials to access the guest. So you will need to add 3 dummy radius servers and add all three to the radius list on the wlan. It is a workaround, but that is they only way so far you can limit the webauth to guest users.
It's possible to deploy a GPO to deny access to some SSID
With a deny list, you can specify by name the set of wireless networks to which the wireless client is not allowed to connect.
I think this good solution will only work with Windows Vista clients right? If so it's not a good one for me as almost 90% of clients are XP based...
I've been looking everywhere to find a way to make this work in Windows XP, but I can't seem to find anything. Anyway the customer still has lots of wireless clients using Win2K... So this is not the solution... Any sugestions? I've read something in respect to NAC and a client for improving security that as to be installed in every laptop that could work... Any experience with this type of solution?
Maybe try CSA:
You can define plenty rules