cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Get the latest Cisco news in this February issue of the Cisco Small Business Monthly Newsletter

1111
Views
0
Helpful
4
Replies
Highlighted
Beginner

Block non domain machines

Good afternoon everyone,

I've been researching this for awhile and can't seem to come across anything that points me in the right direction, so I'm hoping someone can assist. Currently people can connect to the corp wirless  via 802.1x with their AD credentials on ANY device. How could I change that so when "Johnny" brings in his personal laptop he is not able to connect. I know it's cert based, but I'm not so sure if it's on the WLC or on the radius server. Thanks for any input!

 

 

4 REPLIES 4
Highlighted
Beginner

in Microsoft IAS you can

in Microsoft IAS you can create a policy condition to only allow the Domain Windows Group Domain Users (can be any group) & Domain Computers.

Highlighted
Beginner

Vgulinolite,Thanks for the

Vgulinolite,

Thanks for the reply! Have you ever heard of doing anything that's cert based? For example, I still use 802.1x for auth, but if someone brings a machine in that doesn't have the cert they won't be able to login even if they have a user/pass.

 

Thanks!

Beginner

Sorry I have not, why don't

Sorry I have not, why don't you add MAC filtering? or if you really want to get crazy, add DHCP reservations for each client (pending its not hundreds), then create an ACL that only the DHCP reservation objects are permitted to what protocols you desire.

Highlighted
Enthusiast

Hi Willif you have AD

Hi Will

if you have AD environment with domain clients, you can start using EAP-TLS as authentication method for 802.1X instead of username/pass authentication (EAP-PEAP or MSCHAPv2).

With your AD domain you can simply create (or use existing) certification authority and with PKI tool on AD distribute certificates to every domain workstation. Certificate authentication can be machine-based (i.e. certificate for workstation needs to be pushed) or user-based (user certificate).

Once you finally distribute (can be done via automatic enrollment process for domain-member clients only, you just have to prepare PKI) and check if authentication working. Then you can limit authentication option on your AAA server to allow only EAP-TLS and you are done.

Similarly I hope you can prepare GPO for pushing correct settings for your wireless network to be automatically prepared without user interaction.