How to Prohibit Domain Computer in WLAN Guest - CWA

Daniel Stefani · ‎12-09-2014

Hello,

I create a Open SSID in WLC named Visitante and Configured ISE to do CWA.

Rule is:

AuthZ_CWA = If Device:Wireless Lan Controller Equal WLC then WLC_CWA

I create a guest account in Sponsor Portal and above rule in ISE is:

AuthZ_Guest = If Guest and AD:ExternalGroups NOT EQUAL mydomain/users/Domain Computers then INTERNET-ACCESS

When I connect with a Domain Computer, this Computer gets Internet Access doing Match in AuthZ_Guest rule.

What I'm doing is correct? should work? or is there another way to do this control?

I would appreciate some help in this case

Best Regards,

Daniel Stefani

nspasov · ‎12-09-2014

The easiest way to prohibit domain computers from joining a guest SSID is through GPO. You can either set the group policy to prohibit the client from creating new wireless connections or you can manually push incorrect/wrong settings for the GUEST SSID. The wrong settings will prevent the client from joining.

Daniel Stefani · ‎12-09-2014

This is a valid option.

But I was thinking in do this through the ISE. Do you know if this is possible?

Apparently the ISE can not read the AD attributes: ExernalGroups when in CWA.

On doubt here: Is the ISE that can't read this attributes or Domain Computer that don't send this attributes to ISE?

Best Regards,

Daniel Stefani

nspasov · ‎12-09-2014

Hi Daniel, I am not 100% sure but I think ISE does not collect these attributes. I would test it in my lab but I am out on vacation now so it will be a while :( You can test this and use the detailed authentiaction screen in in ISE and see what attributes are being collected.