cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3093
Views
6
Helpful
10
Replies

Cisco NAC to prevent simultaneous Wi-Fi and Wired Access

p.charalambous1
Level 1
Level 1

Hello,

We have the following security requirement in my company's internal corporate network: We have several Cisco Wi-Fi access points installed inside my company buildings which provide direct internet access for guests. However, these Wi-Fi access points are used also from employees who are connected with their corporate laptop to the wired internal network and also connect via wi-fi for getting unrestricted Internet access. This is not allowed by the security policy but a lot of employees do it all the time in order to circumvent the restrictions of the internal network and get unrestricted Internet access from the Wi-Fi.

I was wondering if Cisco NAC solution can help us to prevent employees from connecting to the guest Wi-Fi access points while they are connected to the internal network. Can we use Cisco NAC in any way for providing such restriction? Maybe a NAC agent can check whether wireless is enabled on the laptop and if it’s enabled it won’t allow wired access to the internal network. Is this possible?

Thanks

2 Accepted Solutions

Accepted Solutions

Hi,

The anyconnect NAM supplicant (free for Cisco customers) will also fix this issue. When you plugin via wired the radio shuts off.

Thanks,

Tarik Admani
*Please rate helpful posts*

View solution in original post

No you dont need a NAC solution at all to prevent simultaneous connections. You deploy a profile using the standalone profile editor to determine which networks employees can connect to. It works by default actually when a connection is active on the wired interface NAM disables the wireless adapter. Give it a shot and you will see.

Thanks,

Tarik Admani
*Please rate helpful posts*

View solution in original post

10 Replies 10

edondurguti
Level 4
Level 4

How are you providing guest access, Autonomous APs, Wireless Controller?

How do employees know the guest password?

Hi,

Right now we have autonomus APs which we are planning to connect to a Wireless Controller.

Guest Access is open

Nilesh Pardeshi
Level 1
Level 1

NAC can used to control the users, like you can write a policy that a users can't access the network if they dont have an updated antivirus. ETC.

this is just one of the Roll that NAC can Play.

Coming down to users connecting on WIFI. You can add a Security key on the WLC (if used),  what i am talking about is called PSK(Pre shared Key).

So,  when users are trying to connect on WIFI they will be asked for this key and one who has the key will be able to authenticate.

and yes to end this, Cisco NAC can work for wired and wireless users. The only thing that you will have to take care is that the device where the users gets connected(wired/wireless) needs to be added to the NAC Box. So that the NAC Box can filter the data passing through it.

Thanks Nilesh,

We thought about preshared key as well which is something however that will not work for long since employees will finally find out the preshared key for the guest Wifi and use it.

eric.fisher
Level 1
Level 1

We ran into the same problem and tried to find a solution using NAC. We did not find an ideal solution.  We found it was easier to change the default local policy for the wifi adapter on the local boxes.  In our case, using intel proset to change the "adapter switching" setting which disables the wifi adapter when wired in.  Sorry for straying a little outside of the NAC arena with my answering....

Hi,

The anyconnect NAM supplicant (free for Cisco customers) will also fix this issue. When you plugin via wired the radio shuts off.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik,

The Anyconnect NAM agent looks very good but don't you need to have a full blown Cisco NAC infrastructure for this to work?

Eric,

Your solution seems very good in my opinion.

I have done some more investigation and I have found another solution which might be helpful. Since we are using Windows computers for employees which are controlled by Active Directory, you can enforce a Group Policy on AD which will put the Guest WiFi SSID in blacklist. Therefore the windows machines of the employees will not be able to connect to the Guest WiFi SSID.

What do you guys think of the above?

No you dont need a NAC solution at all to prevent simultaneous connections. You deploy a profile using the standalone profile editor to determine which networks employees can connect to. It works by default actually when a connection is active on the wired interface NAM disables the wireless adapter. Give it a shot and you will see.

Thanks,

Tarik Admani
*Please rate helpful posts*

Thanks Tarik for your recommendation about Anyconnect NAM agent.