Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How can I restrict who connects with WPA?

Our current network is using WPA with having the users get authenticated via the windows domain. Anyone with a domain login can use the same credentials to log in to the wireless network.

Is there a way to keep some users from authenticating to the wireless network?

I was not sure if the windows domain had an option to set who can and cannot access the wireless.

What I am trying to prevent is a user installing a wireless card into their laptop,getting the SSID from another user and the accessing the wireless network with permission.


Re: How can I restrict who connects with WPA?

If your company standardizes on a given wireless NIC, you might be able to institute a MAC filter.

If you're using WPA with server-based authentication, you can usually install a policy (i.e., with Microsoft IAS, RRAS, and the user account, you can disable wireless logins by checking / unchecking the "Dial-in" attribute).

Are you using ACS, Microsoft, or freeRADIUS (or other RADIUS server)?

WPA is more of an encrytion thing, which authentication scheme are you using (WPA-PSK, LEAP, PEAP, EAP-TLS, EAP-TTLS, MD5 ...)?

IF you're using Microsoft-based authentication platforms, Microsoft has some pretty good white papers / step-by-step info on setting up their systems.

Good Luck


New Member

Re: How can I restrict who connects with WPA?

We are using ACS for the radius but passing all authentication on to the Mircrosoft Server for authentication.



Re: How can I restrict who connects with WPA?

There are a couple options.

You can tell ACS to honor the "Dial-In User" attribute in the MS AD User profile ... anyone who is not "Dial In enabled" will not be authenticated.

I believe you could also define one or more groups in ACS. Membership in a particular group could be used to accept or deny entry via wireless.

There are probably other means, but these are lijely to be the easiest to implement.

Good Luck


CreatePlease login to create content