cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1572
Views
5
Helpful
8
Replies

how to restrict non-domain joined laptops on Cisco Wireless Controller

e2andreas
Level 1
Level 1

Hello Community,

I want to allow access to WiFi only for domain-joined laptops and restrict for all other devices.

Does anyone had this task before and know the best way to achieve this?

I very appreciate any guidelines on this.

Thank you in advance!

1 Accepted Solution

Accepted Solutions

ISE :) ()you can run it on Virtual machine. 

But ..Yes you need to purchase license for session you want to use.

 

more info about license:

https://www.cisco.com/c/dam/en/us/products/collateral/security/identity-services-engine/guide_c07-656177.pdf

 

Regards

Dont forget to rate helpful posts

View solution in original post

8 Replies 8

Sandeep Choudhary
VIP Alumni
VIP Alumni

use certificate based authentication...(example: use PEAP or EAP-TLS protocol)

 

for that you need:

AD

WLC

ISE

CA server

 

 

here is the guide: https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/201044-802-1x-authentication-with-PEAP-ISE-2-1.pdf

 

Regards

Dont forget to rate helpful posts

thank you for the direction!

But I don't have ISA server. Does ISA server for this purpose require a license to be purchased?

If it does, do I need only one ISA server license or I need a license for each connected user?

 

Thanks

ISE :) ()you can run it on Virtual machine. 

But ..Yes you need to purchase license for session you want to use.

 

more info about license:

https://www.cisco.com/c/dam/en/us/products/collateral/security/identity-services-engine/guide_c07-656177.pdf

 

Regards

Dont forget to rate helpful posts

I found following documentation to use Windows CA server and Windows Radius server instead of Ciso ISE.

https://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/115988-nps-wlc-config-000.html

 

But I run in an issue where windows Radius server can't authenticate via certificates and client can't authenticate.

Maybe some of you has a clear instructions on this? as those in the cisco article above don't work in my case.

 

thanks

Its realted to PEAP.

As I said , if you want to stop non domain laptop to connect wlan then you need to use EAP-TLS.

Here si a guide:

 

https://networklessons.com/uncategorized/peap-and-eap-tls-on-server-2008-and-cisco-wlc/

 

Regards

Dont forget to rate helpful posts

Thank you, this manual helped me to configure cert-based authentication.

But now I'm not quite sure if I should use PEAP or EAP authentication type. Do you know the difference and which one is better for cert-based authentication?

PEAP or EAP-TLS

 

PEAP only need server side cert

TLS - need cert on both side(Cleint and Server)

 

or in other words PEAP is similar in design to EAP-TTLS, requiring only a server-side PKI certificate to create a secure TLS tunnel to protect user authentication, and uses server-side public key certificates to authenticate the server. It then creates an encrypted TLStunnel between the client and the authentication server.

 

Regards

Dont forget to rate helpful posts

Leo Laohoo
Hall of Fame
Hall of Fame
You need ISE to do this.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: