Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3094
Views
6
Helpful
10
Replies

Cisco NAC to prevent simultaneous Wi-Fi and Wired Access

Go to solution
p.charalambous1
Level 1
Level 1

‎12-05-2012 03:17 AM - edited ‎03-10-2019 07:51 PM

Hello,

We have the following security requirement in my company's internal corporate network: We have several Cisco Wi-Fi access points installed inside my company buildings which provide direct internet access for guests. However, these Wi-Fi access points are used also from employees who are connected with their corporate laptop to the wired internal network and also connect via wi-fi for getting unrestricted Internet access. This is not allowed by the security policy but a lot of employees do it all the time in order to circumvent the restrictions of the internal network and get unrestricted Internet access from the Wi-Fi.

I was wondering if Cisco NAC solution can help us to prevent employees from connecting to the guest Wi-Fi access points while they are connected to the internal network. Can we use Cisco NAC in any way for providing such restriction? Maybe a NAC agent can check whether wireless is enabled on the laptop and if it’s enabled it won’t allow wired access to the internal network. Is this possible?

Thanks

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to eric.fisher

‎12-05-2012 10:12 PM

Hi,

The anyconnect NAM supplicant (free for Cisco customers) will also fix this issue. When you plugin via wired the radio shuts off.

Thanks,

Tarik Admani
*Please rate helpful posts*

View solution in original post

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to p.charalambous1

‎12-05-2012 10:25 PM

No you dont need a NAC solution at all to prevent simultaneous connections. You deploy a profile using the standalone profile editor to determine which networks employees can connect to. It works by default actually when a connection is active on the wired interface NAM disables the wireless adapter. Give it a shot and you will see.

Thanks,

Tarik Admani
*Please rate helpful posts*

View solution in original post

0 Helpful
10 Replies 10

Go to solution
edondurguti
Level 4
Level 4

‎12-05-2012 06:39 AM

How are you providing guest access, Autonomous APs, Wireless Controller?

How do employees know the guest password?

0 Helpful

Go to solution
p.charalambous1
Level 1
Level 1
In response to edondurguti

‎12-05-2012 10:03 PM

Hi,

Right now we have autonomus APs which we are planning to connect to a Wireless Controller.

Guest Access is open

0 Helpful

Go to solution
Nilesh Pardeshi
Level 1
Level 1

‎12-05-2012 07:28 AM

NAC can used to control the users, like you can write a policy that a users can't access the network if they dont have an updated antivirus. ETC.

this is just one of the Roll that NAC can Play.

Coming down to users connecting on WIFI. You can add a Security key on the WLC (if used),  what i am talking about is called PSK(Pre shared Key).

So,  when users are trying to connect on WIFI they will be asked for this key and one who has the key will be able to authenticate.

and yes to end this, Cisco NAC can work for wired and wireless users. The only thing that you will have to take care is that the device where the users gets connected(wired/wireless) needs to be added to the NAC Box. So that the NAC Box can filter the data passing through it.

Go to solution
p.charalambous1
Level 1
Level 1
In response to Nilesh Pardeshi

‎12-05-2012 10:07 PM

Thanks Nilesh,

We thought about preshared key as well which is something however that will not work for long since employees will finally find out the preshared key for the guest Wifi and use it.

0 Helpful

Go to solution
eric.fisher
Level 1
Level 1

‎12-05-2012 01:01 PM

We ran into the same problem and tried to find a solution using NAC. We did not find an ideal solution.  We found it was easier to change the default local policy for the wifi adapter on the local boxes.  In our case, using intel proset to change the "adapter switching" setting which disables the wifi adapter when wired in.  Sorry for straying a little outside of the NAC arena with my answering....

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to eric.fisher

‎12-05-2012 10:12 PM

Hi,

The anyconnect NAM supplicant (free for Cisco customers) will also fix this issue. When you plugin via wired the radio shuts off.

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

Go to solution
p.charalambous1
Level 1
Level 1
In response to Tarik Admani

‎12-05-2012 10:23 PM

Tarik,

The Anyconnect NAM agent looks very good but don't you need to have a full blown Cisco NAC infrastructure for this to work?

0 Helpful

Go to solution
p.charalambous1
Level 1
Level 1
In response to eric.fisher

‎12-05-2012 10:13 PM

Eric,

Your solution seems very good in my opinion.

I have done some more investigation and I have found another solution which might be helpful. Since we are using Windows computers for employees which are controlled by Active Directory, you can enforce a Group Policy on AD which will put the Guest WiFi SSID in blacklist. Therefore the windows machines of the employees will not be able to connect to the Guest WiFi SSID.

What do you guys think of the above?

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to p.charalambous1

‎12-05-2012 10:25 PM

No you dont need a NAC solution at all to prevent simultaneous connections. You deploy a profile using the standalone profile editor to determine which networks employees can connect to. It works by default actually when a connection is active on the wired interface NAM disables the wireless adapter. Give it a shot and you will see.

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

Go to solution
p.charalambous1
Level 1
Level 1
In response to Tarik Admani

‎12-05-2012 10:51 PM

Thanks Tarik for your recommendation about Anyconnect NAM agent.

0 Helpful
Customers Also Viewed These Support Documents