Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Restricting WLAN Access for Mobile Devices

I'm wondering if anyone has suggestions for ways of preventing mobile devices from connecting to the WLAN.  We are moving to a mainly Wireless LAN Controller-based infrastructure, so I'm focusing on possibilities with the WCS/WLC (and not worrying about IOS APs).

Our policy is to keep mobile devices off our WLAN, because we can't ensure their security (no standard patching or anti-virus solution for these devices).  But users are able to config their mobile devices' wireless profiles to allow them to authenticate.  So we can release all the policies we want.... policies don't keep them from connecting.

Because on the security concerns and the fact that they chew up IP addresses, I'm trying to figure out what we could do to keep them off our WLAN!  Any ideas are welcome!

Note:  our company is too big to entertain any MAC address filtering based on allowing known laptop MACs or blocking known mobile device MACs.


Re: Restricting WLAN Access for Mobile Devices

That is not an easy task!   NAC comes to mind first....

here is a stop-gap solution/idea:

Turn off 2.4 GHz alltogether & use 802.11a capable laptops.  It will stop all currently available mobile devices from connecting.

Granted, it is a bit harsh and impractical, but initially effective - until mobile devices speak 802.11a (my money is on Nokia being 1st).

also, using a splash page format ( along with radius authentication ) that is not mobile browser friendly is another stop-gap solution!

Cisco Employee

Re: Restricting WLAN Access for Mobile Devices

Would machine authentication help in this scenario?

Hall of Fame Super Silver

Re: Restricting WLAN Access for Mobile Devices

Machine authentication will prevent non-domain devices to authenticate successfully to the WLAN.  If you don't broadcast the SSID an use a secure encryption/authentication method, then the deivce must successfully authenticate in order to obtain an ip address.  If you use a L3 authentication method like Web-Auth or Pass-through, then the device will obtain an ip address in order to get the splash page.

*** Please rate helpful posts ***
CreatePlease to create content