01-14-2014 12:05 PM - edited 07-04-2021 11:57 PM
All,
looking for some suggestions on improving wireless security through restricting what devices can connect. I have been told about MAC lists, certificates, ACLs and a number of other things. Environment is a 5508 WLC at a central site with mostly 1142 and 1262 LWAPs at various remote sites. 2-3 SSIDs at each site and all SSIDs are the same across all sites to make it easy for users when visiting other sites.
Thanks in advance! All replies rated.
P.S. I misspelled "visiting" and the spell check here suggested "fisting" as a suitable replacement. ha.
01-14-2014 12:08 PM
MAC-based filter is no longer a safe haven because a lot of wireless sniffer can immediately pick up the MAC address of known clients.
Good enforcement policy for RADIUS/TACACS coupled with 802.1x is a sure bet to ensure corporate networks are access by legitimate corporate clients only.
Sent from Cisco Technical Support Wii App
01-14-2014 12:12 PM
It depends on what you really want to accomplish. For example, if you have a radius server and active directory and all the computers are domain computers, you can use machine authentication to only allow domain computers access to the network. Other ways is to use PEAP with AD user credentials or use of certificates on the clients side. All of this is 802.1x with different flavors. 802.1x requires a radius server and a certificate on the radius.
Another way to go is Cisco ISE which can profile devices and you can then decide what devices can access the network. Without really knowing what you have and what you want done, its hard to say what you can do:)
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"
01-14-2014 01:04 PM
Thanks to you both,
How about this? Machine authentication for domain computers along with a RADIUS server and client side certificates? The Guest SSID should only require a user name and password though. Is this doable?
01-14-2014 01:10 PM
Machine authentication for domain computers along with a RADIUS server and client side certificates?
Very common scenario. Doable.
The Guest SSID should only require a user name and password though. Is this doable?
Sure. Many scenarios.
1. Who hands out the username and passwords?
2. Time-based login (how many hours does the username and password last and/or guest wireless is only accessible during these times).
01-14-2014 01:17 PM
Leo,
Who hands out the username and passwords?
Cisco's office in Chicago does for guest:)
Sent from Cisco Technical Support iPhone App
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: