I've been researching this for awhile and can't seem to come across anything that points me in the right direction, so I'm hoping someone can assist. Currently people can connect to the corp wirless via 802.1x with their AD credentials on ANY device. How could I change that so when "Johnny" brings in his personal laptop he is not able to connect. I know it's cert based, but I'm not so sure if it's on the WLC or on the radius server. Thanks for any input!
Thanks for the reply! Have you ever heard of doing anything that's cert based? For example, I still use 802.1x for auth, but if someone brings a machine in that doesn't have the cert they won't be able to login even if they have a user/pass.
Sorry I have not, why don't you add MAC filtering? or if you really want to get crazy, add DHCP reservations for each client (pending its not hundreds), then create an ACL that only the DHCP reservation objects are permitted to what protocols you desire.
if you have AD environment with domain clients, you can start using EAP-TLS as authentication method for 802.1X instead of username/pass authentication (EAP-PEAP or MSCHAPv2).
With your AD domain you can simply create (or use existing) certification authority and with PKI tool on AD distribute certificates to every domain workstation. Certificate authentication can be machine-based (i.e. certificate for workstation needs to be pushed) or user-based (user certificate).
Once you finally distribute (can be done via automatic enrollment process for domain-member clients only, you just have to prepare PKI) and check if authentication working. Then you can limit authentication option on your AAA server to allow only EAP-TLS and you are done.
Similarly I hope you can prepare GPO for pushing correct settings for your wireless network to be automatically prepared without user interaction.
Small businesses are facing the realities of the new normal and wondering what are the best ways to monitor, protect, manage and grow. Cisco understands the unique needs of small businesses and is committed to help overcome their top IT challenges. The fi...
What does the new normal mean for small business? Join this CiscoChat to learn how Cisco Designed, the portfolio curated for small business, can help small businesses adapt and thrive through the new normal and beyond.
We'll take your questions live...
Hi, i have an RV130W Wireless VPN router on which contrary to all advertisements i do not have gigabit LAN.The port links state 1000 full duplex however any LAN transfer is capped at about 20MBps, primarily because the router CPU reaches 100%. So this giv...
Join us in an exclusive Cisco Customer Connection briefing for a demonstration on the management capabilities within the Cisco Business Wireless product line for small businesses. For the lone-IT-superman, it is critical that the network products are easy...
This may be a simple question so I hope someone can help. We have several Cisco SG300\500 switches in L2 mode. Each switch has 8 VLANS and VLAN 1 is still native (For now). We do all routing between VLAN's on our firewall. After reading several ...