Help With Mobile Devices Best Practices

dhopper82 · ‎11-24-2010

We are trying to setup an SSID where our Mobile Device users (IPAD, IPHONE, etc..) can get on and have limited access to the internal network.

I was able to limit access using an ACL on the VLAN we assign the devices on but I can't find a good way to setup the controller where they are strictly using LDAP. I've seen the OU setup but that doesn't work in our environment because users could only be in that specific OU and would lose some group policies. Cisco doesn't allow LDAP group access unfortunately.

That's not that big of an issue. My question is what are some good ways to setup a secure SSID that only allows specific wireless users to authenticate on it? I've thought about machine authentication. I don't know much about certificates but think that wouldn't work because anyone could get onto it and get a certificate (I think). I'm just looking for ideas...

Scott Fella · ‎11-24-2010

dhopper82,

The WLC will not police the wireless traffic, it allows users on or drops the users if they don't authenticate. What I have seen in my experience is when it is decided what services these users will be allowed, then an ACL is placed to allow or deny traffic from that wireless vlan to any other subnet. What type of authentication are you planning on using with iPads, iPhones, etc? The issue I think if you go with 802.1x is the fact that some devices might have issues with certificates and user accounts getting locked out when they change their password on their workstation or laptop and forget to change it on their devices. I think most of my clients put these devices striaght out to the DMZ since they still can hit the exchange server from the outside. You have to sort of balance it out... how secure you want the wireless and who will be resposible for fixing user or device issues.

-Scott
*** Please rate helpful posts ***