cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
676
Views
1
Helpful
9
Replies

Blocking laptops from SSID-Mobile

chanduavirni
Level 1
Level 1

Hi All

@Cisco ISE

We have PC SSID and Mobile SSID, both are logging by AD credentials.

i want to stop  to connect PC user to Mobile SSID. we are using Cisco ISE 3615 and cisco controller 5560.

Any solutions for this issue..?

9 Replies 9

Gopinath_Pigili
Spotlight
Spotlight

I think you can achieve this by implementing ISE Policies.....

Please go through the following link.....

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115734-ise-policies-ssid-00.html

Best regards
******* If This Helps, Please Rate *******

Hi

Ciso ISE ver--2.7.0.356

Cisco controller-5520

for both PC and Mobile SSID are working radius. I have 2 SSID , i want to stop PC users to connect the Mobile SSID.

Thanks

you are not explaining your situation clearly. you have 2 SSID, what are each one for? are those PC's BYOD or managed by your organization via GPO? how is the configuration of each SSID and what Protocol is being used PEAP/EAP-TLS, etc?

What are you EAP types? Certificates? Working RADIUS how?

Authentication is Radius based, using a security EAP method configured on the RADIUS server.

network access control via EAP-TLS as authentication protocol for devices supporting 802.1x and MAC

Certificates-- EAP Authentication, RADIUS DTLS 

ajc
Level 7
Level 7

IF you are using a device that has the feature called  "randomized MAC" then nothing can be done other than continuously update the Endpoint Group with those MAC addresses you want to block.

So you have 2 options, 

In the WLC --- > Security ---- > AAA --- > Disabled Clients --- > Manual disable (Enter the wireless MAC address of the device, this would block the device from ASSOCIATING to the AP)

OR

 

In ISE: create and endpoint group called blocked PC (or whatever name you want to use) and add the MAC address of the device you want to block, then --- > create a AUTHZ Policy where all the devices connecting to the specific SSID and belonging to the Endpoint Group created would have "deny access". as a result This strategy would not block the device from associating to the AP but the authentication/authorization would be denied.

 

 

thomas
Cisco Employee
Cisco Employee

Your problem is that you want to different by endpoint type (PC workstation vs mobile) but you are using user AD credentials which can equally be used for both. You have no way to differentiate based on user credentials alone! 8-) 

Option 1: Profile your endpoints on the Mobile SSID and if they are not profiled as mobile endpoints, reject / block them.

Option 2: Use one SSID. Who cares whether your users are PCs or Workstations if they are all your users? You have not explained why this is a reasonable policy.

Option 3: Change your credential type(s) to differentiate PC vs mobile. You could use certificates on either or both to differentiate by authentication method or potentially use certificate field values to differentiate.

Option 4: Use an MDM to provision your PCs and/or mobile endpoints with certificates and/or wireless profiles to connect to the appropriate wireless SSID and lock the settings so your users cannot configure other options.

hslai
Cisco Employee
Cisco Employee

If the PCs are managed by IT, then it's possible to block certain SSIDs. Below is a discussion on Microsoft Windows: