Re: Blocking laptops from SSID-Mobile

chanduavirni · ‎11-03-2023

Hi All

@Cisco ISE

We have PC SSID and Mobile SSID, both are logging by AD credentials.

i want to stop to connect PC user to Mobile SSID. we are using Cisco ISE 3615 and cisco controller 5560.

Any solutions for this issue..?

Gopinath_Pigili · ‎11-03-2023

I think you can achieve this by implementing ISE Policies.....

Please go through the following link.....

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115734-ise-policies-ssid-00.html

Best regards
******* If This Helps, Please Rate *******

ahollifield · ‎11-03-2023

5560? What version of ISE? What are your EAP types?

https://community.cisco.com/t5/security-documents/how-to-ask-the-community-for-help/ta-p/3704356

chanduavirni · ‎11-03-2023

Hi

Ciso ISE ver--2.7.0.356

Cisco controller-5520

for both PC and Mobile SSID are working radius. I have 2 SSID , i want to stop PC users to connect the Mobile SSID.

Thanks

ajc · ‎11-03-2023

you are not explaining your situation clearly. you have 2 SSID, what are each one for? are those PC's BYOD or managed by your organization via GPO? how is the configuration of each SSID and what Protocol is being used PEAP/EAP-TLS, etc?

ahollifield · ‎11-03-2023

What are you EAP types? Certificates? Working RADIUS how?

chanduavirni · ‎11-10-2023

Authentication is Radius based, using a security EAP method configured on the RADIUS server.

network access control via EAP-TLS as authentication protocol for devices supporting 802.1x and MAC

Certificates-- EAP Authentication, RADIUS DTLS

ajc · ‎11-03-2023

IF you are using a device that has the feature called "randomized MAC" then nothing can be done other than continuously update the Endpoint Group with those MAC addresses you want to block.

So you have 2 options,

In the WLC --- > Security ---- > AAA --- > Disabled Clients --- > Manual disable (Enter the wireless MAC address of the device, this would block the device from ASSOCIATING to the AP)

OR

In ISE: create and endpoint group called blocked PC (or whatever name you want to use) and add the MAC address of the device you want to block, then --- > create a AUTHZ Policy where all the devices connecting to the specific SSID and belonging to the Endpoint Group created would have "deny access". as a result This strategy would not block the device from associating to the AP but the authentication/authorization would be denied.

thomas · ‎11-06-2023

Your problem is that you want to different by endpoint type (PC workstation vs mobile) but you are using user AD credentials which can equally be used for both. You have no way to differentiate based on user credentials alone! 8-)

Option 1: Profile your endpoints on the Mobile SSID and if they are not profiled as mobile endpoints, reject / block them.

Option 2: Use one SSID. Who cares whether your users are PCs or Workstations if they are all your users? You have not explained why this is a reasonable policy.

Option 3: Change your credential type(s) to differentiate PC vs mobile. You could use certificates on either or both to differentiate by authentication method or potentially use certificate field values to differentiate.

Option 4: Use an MDM to provision your PCs and/or mobile endpoints with certificates and/or wireless profiles to connect to the appropriate wireless SSID and lock the settings so your users cannot configure other options.

hslai · ‎11-10-2023

If the PCs are managed by IT, then it's possible to block certain SSIDs. Below is a discussion on Microsoft Windows:

How to Block Unknown Wi-Fi Network From Appearing on Windows 10