topic Re: Prevent Multiple Same Username Logon in Wireless

Prevent Multiple Same Username Logon

CSCO11177789 — Tue, 16 Jan 2024 13:09:17 GMT

Hi all,

We're using Catalyst 9800 cont. and 801.x peap with ldap username on one of ssid profile. Unfortunately ,some users gave their credentials to others and they logon same username/password.

Is there any way to prevent this ?

Best regards

Re: Prevent Multiple Same Username Logon

MHM Cisco World — Tue, 16 Jan 2024 14:56:51 GMT

I am not quite sure but during PEAP auth the WLC need user cert. And password.

Are you sure it PEAP not WPA2/WPA3

MHM

Re: Prevent Multiple Same Username Logon

CSCO11177789 — Tue, 16 Jan 2024 15:37:03 GMT

Actually profile has wpa2/wpa3 , 802.1x, aes settings also on AAA tab i'm using NPS server for authentication for ldap users on active directory. This ssid only using for users own android/ios devices internet connection because of this i prefer peap/mschapv2 (on NPS policy) instead of eap/tls.

Re: Prevent Multiple Same Username Logon

MHM Cisco World — Tue, 16 Jan 2024 15:48:40 GMT

if it wpa2/wpa3 we can not do anything
you need to use different L2 security

MHM

Re: Prevent Multiple Same Username Logon

Haydn Andrews — Tue, 16 Jan 2024 21:43:29 GMT

Couple methods you could use:

The NPS server may be able to have a policy created locking the number of logins down to X number of devices, alternatively it may allow you to do some MFA so the user has to accept the connection (although this would also impact good users).
Management enforcing it and when caught breaching the corporate IT policy issuing disciplinary action against them, word will spread.
EAP-TLS/ EAP-TEAP and certificates are really the only way to prevent it.