cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

422
Views
0
Helpful
4
Replies
Highlighted
Beginner

Prevent Wireless 802.1x clients connecting to all Wireless Networks

Hi,

I would like to have user based certificate authentication for my wireless networks.  We have a wireless network for corporate laptops and one for mobile devices like iPads/Phones.  I don't want corporate devices to be able to connect to the mobile wireless network and vice versa.

The problem I'm facing is once I implement user based certificate authentication, both iPads and corporate laptops can connect to both mobile and corporate wireless networks.  Is there a way to restrict mobile devices from connecting to corporate wireless networks and corporate laptops from connecting to mobile device wireless networks? 

Thanks   

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Master

Re: Prevent Wireless 802.1x clients connecting to all Wireless N

What you would do is for the domain machines use machine authentication and the mobile either PEAP or EAP-TLS. The domain machines can also use ESP-TLS if you want. Then you would have two policies on ACS and you would use the called station id attribute to distinguish between the SSID's. Your AD group would need to be different. That is why machine authentication can use the computer group and the mobile can use PEAP or EAP-TLS. If your ssid was Domain and Mobile,then you would add to your policy a called-station-id with a value of *.Domain for the domain computers and *.Mobile for mobile devices.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

View solution in original post

4 REPLIES 4
Beginner

Prevent Wireless 802.1x clients connecting to all Wireless Netwo

Bit more information. I'm using Cisco ACS and don't currently have ISE.

Hall of Fame Master

Re: Prevent Wireless 802.1x clients connecting to all Wireless N

What you would do is for the domain machines use machine authentication and the mobile either PEAP or EAP-TLS. The domain machines can also use ESP-TLS if you want. Then you would have two policies on ACS and you would use the called station id attribute to distinguish between the SSID's. Your AD group would need to be different. That is why machine authentication can use the computer group and the mobile can use PEAP or EAP-TLS. If your ssid was Domain and Mobile,then you would add to your policy a called-station-id with a value of *.Domain for the domain computers and *.Mobile for mobile devices.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

View solution in original post

Beginner

Prevent Wireless 802.1x clients connecting to all Wireless Netwo

Thanks Scott

Hall of Fame Master

Re: Prevent Wireless 802.1x clients connecting to all Wireless N

No problem.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
CreatePlease to create content
Content for Community-Ad

August's Community Spotlight Awards