Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1636
Views
0
Helpful
4
Replies

Block non domain machines

Will Phinney
Level 1
Level 1

‎05-06-2015 01:20 PM

Good afternoon everyone,

I've been researching this for awhile and can't seem to come across anything that points me in the right direction, so I'm hoping someone can assist. Currently people can connect to the corp wirless  via 802.1x with their AD credentials on ANY device. How could I change that so when "Johnny" brings in his personal laptop he is not able to connect. I know it's cert based, but I'm not so sure if it's on the WLC or on the radius server. Thanks for any input!

 

 

Labels:
0 Helpful
4 Replies 4

vgulinolite
Level 1
Level 1

‎05-07-2015 11:06 AM

in Microsoft IAS you can create a policy condition to only allow the Domain Windows Group Domain Users (can be any group) & Domain Computers.

0 Helpful

Will Phinney
Level 1
Level 1
In response to vgulinolite

‎05-07-2015 11:54 AM

Vgulinolite,

Thanks for the reply! Have you ever heard of doing anything that's cert based? For example, I still use 802.1x for auth, but if someone brings a machine in that doesn't have the cert they won't be able to login even if they have a user/pass.

 

Thanks!

0 Helpful

vgulinolite
Level 1
Level 1
In response to Will Phinney

‎05-07-2015 12:06 PM

Sorry I have not, why don't you add MAC filtering? or if you really want to get crazy, add DHCP reservations for each client (pending its not hundreds), then create an ACL that only the DHCP reservation objects are permitted to what protocols you desire.

0 Helpful

Michal Bruncko
Level 4
Level 4

‎05-14-2015 12:23 AM

Hi Will

if you have AD environment with domain clients, you can start using EAP-TLS as authentication method for 802.1X instead of username/pass authentication (EAP-PEAP or MSCHAPv2).

With your AD domain you can simply create (or use existing) certification authority and with PKI tool on AD distribute certificates to every domain workstation. Certificate authentication can be machine-based (i.e. certificate for workstation needs to be pushed) or user-based (user certificate).

Once you finally distribute (can be done via automatic enrollment process for domain-member clients only, you just have to prepare PKI) and check if authentication working. Then you can limit authentication option on your AAA server to allow only EAP-TLS and you are done.

Similarly I hope you can prepare GPO for pushing correct settings for your wireless network to be automatically prepared without user interaction.

0 Helpful
Customers Also Viewed These Support Documents