cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3059
Views
0
Helpful
7
Replies

Restrict corporate user to connect to the BYOD ssid

Angus Bishop
Level 1
Level 1

Dear folks ,

Can anyone help me out to do the configuration of the ISE to restrict the corporate users to get connected to the BYOD ssid .

My devices are - laptops , windows phones ,  Iphones ..

My corporate laptops have certificate installed , i am using (peap + ep tls ) authentication to connect the Corporate laptop to corp ssid .

Plese guide me with some ideas ..

Regards

Agnus

7 Replies 7

What supplicant are you using on the corporate laptop?  Can you explain what you mean by PEAP + EAP-TLS? 

One way to limit your corporate users from accessing any other SSID other than your corporate SSID is to use Cisco AnyConnect Secure Mobility client with the NAM module.  You can then configure your corporate SSID as a "corporate SSID"

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/administration/guide/ac04namconfig.html#wp1077927

With this feature enabled your clients will not be able to connect to any other SSIDs when the corporate SSID is available.  This will also assist you in blocking your users from connecting to MIFI devices in an effort to bypassing webfiltering.

Just so I understand your questions a bit more clearer, you are wanting to prevent users from connecting to the BYOD ssid, if that is the case then you may want to consider group policy but setting the wrong security type for that ssid so users can not connect to it.

Thanks,

Tarik Admani
*Please rate helpful posts*

The requirement  is i need to restrict the coroprate laptops to get connected to the BYOD ssid and  not the user credentials .

i am using certificate authentication on my laptop for corporate access .

We have a setup like this.  We use 802.1x to "throw" the wireless client to the correct SSID based on their username and/or the MAC address of their machines.

What I have done so far is to set up an ssid which uses AD auth to verify use membership to log into this ssid.This is a byod  ssid.

Problem being the same users can using their same credential login into my trusted ssid using their ad credentials.

I need to be able to not allow their personal devices on my trusted network and just keep those on the BYOD network using ACS 5.5.

Debaker,

 

You dont mention how you are expecting the non-BYOD devices to authenticate.  If they are authenticating with certificates then you can do this.  You can create an AuthZ rule that uses the BYOD SSID and authentication method as criteria. Then you create a rule that matches Certificate based authentication that permits access.  Followed by a default deny. 

Assuming the SSID was BYOD the mac address is presented to ACS/ISE as the "Called-Station-ID" using MAC address then SSID name separated by the colon.  00-11-22-AA-BB-CC:BYOD. 

Your AuthZ rule can match Called-Station-ID ends with BYOD.  The other option is to match based on Airespace-Wlan-Id.  The second is not always preferred because if you have multiple WLCs all of the WLCs would need to be configured with the WLANs configured with the same ID numbers. 

 

The second rule does not need to specify which SSID you want to allow the devices with the certificates on.  This is because they are corporate devices they should be able to connect to the BYOD or corporate SSID, but if you wanted to only allow them to connect to the corporate SSID you would create a similar rule to the one above except using ":corpssid" and Network Access:AuthenticationMethod EQUALS x509_PKI. 

 

You can also include Network Access:EapTunnel EQUALS PEAP to the BYOD rule if for some reason you wanted to disallow using certificates on the BYOD network.

 

 

What I have done so far is to set up an ssid which uses AD auth to verify use membership to log into this ssid.This is a byod  ssid.

Problem being the same users can using their same credential login into my trusted ssid using their ad credentials.

I need to be able to not allow their personal devices on my trusted network and just keep those on the BYOD network using ACS 5.5.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: