Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Hi, I would like anyone to share their idea on the following WLAN solution requirement I am working on.

I have a client that wants a wireless solution that will deny the entire domain machine (Laptops and co) within their organization access to the WLAN and permit only personal WLAN devices brought in by employees using thier domain username and password to authenticate.

The security solution intended is WPA2 Enterprise (802.1X) and it is controller based Cisco WLAN.

This is an unusual requirement as it is usually the other way round

Mac Filtering is not an option. Please kindly share you thought on this....

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Re: Hi, I would like anyone to share their idea on the following

Correct... One would look for domain computers and the other domain users or another group in AD. It also might just be easier to lock the wireless profile via GPO. Either using the wrong authentication or preventing users to add SSID.

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***
5 REPLIES
Hall of Fame Super Silver

Hi, I would like anyone to share their idea on the following WLA

That is a weird request, but I don't see why it can't be done.  You would setup your policy (point to domain computers) as if you wanted it to pass, but at the end, you say deny access.  You have to make sure you push a wireless profile on the domain computers to use machine authentication, or a policy to prevent them from adding that ssid or changing that ssid.  This is in ACS though.  What radius server are you using.

-Scott
*** Please rate helpful posts ***
Community Member

Hi, I would like anyone to share their idea on the following WLA

The RADIUS server would be Cisco ACS.

That was my take as well on the requirement. There would have to be 2 policies I beleive, 1st policy exactly as you have specified and the 2nd policy would permit the users.

Hall of Fame Super Silver

Re: Hi, I would like anyone to share their idea on the following

Correct... One would look for domain computers and the other domain users or another group in AD. It also might just be easier to lock the wireless profile via GPO. Either using the wrong authentication or preventing users to add SSID.

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***
Community Member

Re: Hi, I would like anyone to share their idea on the following

Thanks very much for sharing your thought...

Community Member

Hi, I would like anyone to share their idea on the following WLA

I'd just like to add a thought:

Although you could prevent users from adding more SSIDs with Windows Zero Config. If they were to turn off windows wireless settings on the domain device and switch to the WLAN card utility they could possibly override the domain settings. - Something to keep in mind.

310
Views
0
Helpful
5
Replies
CreatePlease to create content