Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Wireless Access

All,

looking for some suggestions on improving wireless security through restricting what devices can connect.  I have been told about MAC lists, certificates, ACLs and a number of other things.  Environment is a 5508 WLC at a central site with mostly 1142 and 1262 LWAPs at various remote sites.  2-3 SSIDs at each site and all SSIDs are the same across all sites to make it easy for users when visiting other sites. 

Thanks in advance!  All replies rated.     

P.S.  I misspelled "visiting" and the spell check here suggested "fisting"  as a suitable replacement.  ha.       

5 REPLIES
Hall of Fame Super Gold

Re: Wireless Access

MAC-based filter is no longer a safe haven because a lot of wireless sniffer can immediately pick up the MAC address of known clients.

Good enforcement policy for RADIUS/TACACS coupled with 802.1x is a sure bet to ensure corporate networks are access by legitimate corporate clients only.

Sent from Cisco Technical Support Wii App

Hall of Fame Super Silver

Wireless Access

It depends on what you really want to accomplish.  For example, if you have a radius server and active directory and all the computers are domain computers, you can use machine authentication to only allow domain computers access to the network.  Other ways is to use PEAP with AD user credentials or use of certificates on the clients side.  All of this is 802.1x with different flavors.  802.1x requires a radius server and a certificate on the radius.

Another way to go is Cisco ISE which can profile devices and you can then decide what devices can access the network.  Without really knowing what you have and what you want done, its hard to say what you can do:)

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
New Member

Wireless Access

Thanks to you both,

How about this?  Machine authentication for domain computers along with a RADIUS server and client side certificates?  The Guest SSID should only require a user name and password though.  Is this doable?

Hall of Fame Super Gold

Wireless Access

Machine authentication for domain computers along with a RADIUS server and client side certificates? 

Very common scenario.  Doable.

The Guest SSID should only require a user name and password though.  Is this doable?

Sure.  Many scenarios.

1.  Who hands out the username and passwords?

2.  Time-based login (how many hours does the username and password last and/or guest wireless is only accessible during these times).

Hall of Fame Super Silver

Re: Wireless Access

Leo,

Who hands out the username and passwords?

Cisco's office in Chicago does for guest:)

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
152
Views
10
Helpful
5
Replies