cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
384
Views
10
Helpful
5
Replies

Wireless Access

Scott Hanson
Level 3
Level 3

All,

looking for some suggestions on improving wireless security through restricting what devices can connect.  I have been told about MAC lists, certificates, ACLs and a number of other things.  Environment is a 5508 WLC at a central site with mostly 1142 and 1262 LWAPs at various remote sites.  2-3 SSIDs at each site and all SSIDs are the same across all sites to make it easy for users when visiting other sites. 

Thanks in advance!  All replies rated.     

P.S.  I misspelled "visiting" and the spell check here suggested "fisting"  as a suitable replacement.  ha.       

5 Replies 5

Leo Laohoo
Hall of Fame
Hall of Fame

MAC-based filter is no longer a safe haven because a lot of wireless sniffer can immediately pick up the MAC address of known clients.

Good enforcement policy for RADIUS/TACACS coupled with 802.1x is a sure bet to ensure corporate networks are access by legitimate corporate clients only.

Sent from Cisco Technical Support Wii App

Scott Fella
Hall of Fame
Hall of Fame

It depends on what you really want to accomplish.  For example, if you have a radius server and active directory and all the computers are domain computers, you can use machine authentication to only allow domain computers access to the network.  Other ways is to use PEAP with AD user credentials or use of certificates on the clients side.  All of this is 802.1x with different flavors.  802.1x requires a radius server and a certificate on the radius.

Another way to go is Cisco ISE which can profile devices and you can then decide what devices can access the network.  Without really knowing what you have and what you want done, its hard to say what you can do:)

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

Thanks to you both,

How about this?  Machine authentication for domain computers along with a RADIUS server and client side certificates?  The Guest SSID should only require a user name and password though.  Is this doable?

Machine authentication for domain computers along with a RADIUS server and client side certificates? 

Very common scenario.  Doable.

The Guest SSID should only require a user name and password though.  Is this doable?

Sure.  Many scenarios.

1.  Who hands out the username and passwords?

2.  Time-based login (how many hours does the username and password last and/or guest wireless is only accessible during these times).

Leo,

Who hands out the username and passwords?

Cisco's office in Chicago does for guest:)

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: