https://community.cisco.com/t5/wireless/wireless-access/m-p/2403662#M12129 <HTML><HEAD></HEAD><BODY><P> Thanks to you both,</P><P></P><P>How about this?&nbsp; Machine authentication for domain computers along with a RADIUS server and client side certificates?&nbsp; The Guest SSID should only require a user name and password though.&nbsp; Is this doable?</P></BODY></HTML> Tue, 14 Jan 2014 21:04:47 GMT Scott Hanson 2014-01-14T21:04:47Z https://community.cisco.com/t5/wireless/wireless-access/m-p/2403659#M12122 <P>All,</P><P></P><P>looking for some suggestions on improving wireless security through restricting what devices can connect.&nbsp; I have been told about MAC lists, certificates, ACLs and a number of other things.&nbsp; Environment is a 5508 WLC at a central site with mostly 1142 and 1262 LWAPs at various remote sites.&nbsp; 2-3 SSIDs at each site and all SSIDs are the same across all sites to make it easy for users when visiting other sites.&nbsp; </P><P></P><P>Thanks in advance!&nbsp; All replies rated.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P></P><P>P.S.&nbsp; I misspelled "visiting" and the spell check here suggested "fisting"&nbsp; as a suitable replacement.&nbsp; ha.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P> Mon, 05 Jul 2021 06:57:57 GMT https://community.cisco.com/t5/wireless/wireless-access/m-p/2403659#M12122 Scott Hanson 2021-07-05T06:57:57Z https://community.cisco.com/t5/wireless/wireless-access/m-p/2403660#M12124 <HTML><HEAD></HEAD><BODY><P>MAC-based filter is no longer a safe haven because a lot of wireless sniffer can immediately pick up the MAC address of known clients.<BR /><BR />Good enforcement policy for RADIUS/TACACS coupled with 802.1x is a sure bet to ensure corporate networks are access by legitimate corporate clients only.<BR /><BR />Sent from Cisco Technical Support Wii App</P></BODY></HTML> Tue, 14 Jan 2014 20:08:43 GMT https://community.cisco.com/t5/wireless/wireless-access/m-p/2403660#M12124 Leo Laohoo 2014-01-14T20:08:43Z https://community.cisco.com/t5/wireless/wireless-access/m-p/2403661#M12126 <HTML><HEAD></HEAD><BODY><P>It depends on what you really want to accomplish.&nbsp; For example, if you have a radius server and active directory and all the computers are domain computers, you can use machine authentication to only allow domain computers access to the network.&nbsp; Other ways is to use PEAP with AD user credentials or use of certificates on the clients side.&nbsp; All of this is 802.1x with different flavors.&nbsp; 802.1x requires a radius server and a certificate on the radius.</P><P></P><P>Another way to go is Cisco ISE which can profile devices and you can then decide what devices can access the network.&nbsp; Without really knowing what you have and what you want done, its hard to say what you can do:)</P><P></P><P>Thanks, <BR /> <BR />Scott <BR /> <BR />Help out other by using the rating system and marking answered questions as "Answered"</P></BODY></HTML> Tue, 14 Jan 2014 20:12:36 GMT https://community.cisco.com/t5/wireless/wireless-access/m-p/2403661#M12126 Scott Fella 2014-01-14T20:12:36Z https://community.cisco.com/t5/wireless/wireless-access/m-p/2403662#M12129 <HTML><HEAD></HEAD><BODY><P> Thanks to you both,</P><P></P><P>How about this?&nbsp; Machine authentication for domain computers along with a RADIUS server and client side certificates?&nbsp; The Guest SSID should only require a user name and password though.&nbsp; Is this doable?</P></BODY></HTML> Tue, 14 Jan 2014 21:04:47 GMT https://community.cisco.com/t5/wireless/wireless-access/m-p/2403662#M12129 Scott Hanson 2014-01-14T21:04:47Z https://community.cisco.com/t5/wireless/wireless-access/m-p/2403663#M12131 <HTML><HEAD></HEAD><BODY><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote">Machine authentication for domain computers along with a RADIUS server and client side certificates? </PRE><P>Very common scenario.&nbsp; Doable.</P><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote">The Guest SSID should only require a user name and password though.&nbsp; Is this doable?</PRE><P> Sure.&nbsp; Many scenarios. </P><P></P><P>1.&nbsp; Who hands out the username and passwords?</P><P>2.&nbsp; Time-based login (how many hours does the username and password last and/or guest wireless is only accessible during these times). </P></BODY></HTML> Tue, 14 Jan 2014 21:10:44 GMT https://community.cisco.com/t5/wireless/wireless-access/m-p/2403663#M12131 Leo Laohoo 2014-01-14T21:10:44Z https://community.cisco.com/t5/wireless/wireless-access/m-p/2403664#M12134 <HTML><HEAD></HEAD><BODY><P>Leo,<BR /><BR />Who hands out the username and passwords?<BR /><BR />Cisco's office in Chicago does for guest:)<BR /><BR />Sent from Cisco Technical Support iPhone App</P></BODY></HTML> Tue, 14 Jan 2014 21:17:57 GMT https://community.cisco.com/t5/wireless/wireless-access/m-p/2403664#M12134 Scott Fella 2014-01-14T21:17:57Z