Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Unable to block Non-Corprate machine access to CORP wireless network

                   Hello everyone

I am facing this problem right now , I created rule 1 for host authentication and rule 2 for user authentication ,but seems I am unable to block non-corprate machine * IPAD or smart phone* to access CORP wireless network if people put vaild domain user name and password.

Here is deatils and please help.

Rule 1 --Host AUTH---

External Groupls : AD1

Protocol: Radius

Was Machine Authenticated: -ANY-

System name : start with host/

Results : Permit Access

Rule 2 --User AUTH---

External Groupls : AD1

Protocol: Radius

Was Machine Authenticated: -true-

System name : -ANY-

Results : Permit Access

Default : Deny Access

Now , If I connect personal smart phone with windows username and password , ACS is able to blocked , screenshot as follow

blocked.jpg

But ,If I connect same personal phone with "domain\username" and password , the phone is able to connact , and here is screenshot.

unblocked.jpg

Question is why matched "host AUTH" rule when I use "domain\username " on personal phone ? However, I do check the system name in "host AUTH" and permit access until system name start with "host/ " , so how come , this person is able to passed the rule .

3 REPLIES
Hall of Fame Super Gold

Unable to block Non-Corprate machine access to CORP wireless net

802.1x should be able to block Smartphones and Tablets. 

But the main question is:  WHY? 

In the advent of Bring Your Own Device (BYOD), you are going against the flow of the corporate trend.  You may as well embrace this phenomena while you can otherwise your clients will find a way (whether you like it or not) to get their personal devices into your network. 

New Member

Unable to block Non-Corprate machine access to CORP wireless net

We don't have BYOD at this moment , so we don't want employee access CORP wireless network with their personal devices.

Back to question, I was able to authenticate the laptop by machine name and seems work if I only type the username without domain . 

But if I type "domain\username " into phone, I am able to connect it , I don't know why this can be happened and how to fix.

Please show off your kind help , thanks all

Bronze

Unable to block Non-Corprate machine access to CORP wireless net

Hi Fan,

For rule 2, what AD containers did you specify? Did you include Domain Computers? Also under User and Identity Stores ---> External Identity Stores-----> Active Directory, did you check Enable machine authentication and Machine Access Restrictions?

257
Views
0
Helpful
3
Replies