Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10658
Views
0
Helpful
6
Replies

Block smartphones from corporate wireless access

Go to solution
Sami Abunasser
Level 1
Level 1

‎10-21-2011 06:06 AM - edited ‎07-03-2021 08:58 PM

Hi,

Currently we are running Cisco wireless AP's in an LWAPP setting with Cisco WISM. Wireless authentication for network access is linked to our Active Directory.

What we are noticing is that a large number of users are connecting to the wireless using thier smartphones (iphones, driods and blackberry's). Does anyone know of a way to block these devices from connecting to the wireless without changing how laptop users connect?

Thank you,

Sami

2 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Johan Lindstrand
Level 1
Level 1
In response to Stephen Rodriguez

‎10-26-2011 07:46 AM

Hi

Yes on Vendor ID it block Apple laptops, but you can block an specific Apple "MAC-adress" series. yost for Iphones

shared-network VLAN915 {

class "phones" {

        match substring(hardware,1,3);

}

        subclass "phones" 34:15:9e;

        subclass "phones" 30:78:22;

subnet 10.10.1.0 netmask 255.255.255.0 {

                pool {

                        deny members of "phones" ;

shared-network VLAN915 {
class "phones" {
        match substring(hardware,1,3);
}
        subclass "phones" 34:15:9e;
        subclass "phones" 30:78:22;

...

subnet 10.10.1.0 netmask 255.255.255.0 {
                pool {
                        deny members of "phones" ;

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Stephen Rodriguez
Cisco Employee
Cisco Employee

‎10-21-2011 06:36 AM

Sami,

     I would say, take a look at Cisco ISE.  The ISE is able to 'fingerprint' a device to identify what it is, then allow or disallow access according to the rules that you configure.

HTH,

Steve

----------------------------------------------------------------------------------------------------------

Please remember to rate helpful posts or to mark the question as answered so that it can be found later.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
0 Helpful

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame

‎10-21-2011 05:53 PM 

What we are noticing is that a large number of users are connecting to the wireless using thier smartphones (iphones, driods and blackberry's). Does anyone know of a way to block these devices from connecting to the wireless without changing how laptop users connect?

The answer to this question is found in the second sentence of your post:  Wireless authentication for network access is linked to our Active Directory.

0 Helpful

Go to solution
Johan Lindstrand
Level 1
Level 1
In response to Leo Laohoo

‎10-26-2011 07:20 AM

Hi.

If you are using a DHCP server in the wireless environment. Then you can block “smart phones” MAC-address from getting ipadress ,or you can block on “Vendor Name”

This solution is not the most “beautiful” one but it works.

0 Helpful

Go to solution
Stephen Rodriguez
Cisco Employee
Cisco Employee

‎10-26-2011 07:24 AM

but that would also block Apple laptops as well wouldn't it?

Sent from Cisco Technical Support iPhone App

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
0 Helpful

Go to solution
Johan Lindstrand
Level 1
Level 1
In response to Stephen Rodriguez

‎10-26-2011 07:46 AM

Hi

Yes on Vendor ID it block Apple laptops, but you can block an specific Apple "MAC-adress" series. yost for Iphones

shared-network VLAN915 {

class "phones" {

        match substring(hardware,1,3);

}

        subclass "phones" 34:15:9e;

        subclass "phones" 30:78:22;

subnet 10.10.1.0 netmask 255.255.255.0 {

                pool {

                        deny members of "phones" ;

shared-network VLAN915 {
class "phones" {
        match substring(hardware,1,3);
}
        subclass "phones" 34:15:9e;
        subclass "phones" 30:78:22;

...

subnet 10.10.1.0 netmask 255.255.255.0 {
                pool {
                        deny members of "phones" ;

0 Helpful

Go to solution
Sami Abunasser
Level 1
Level 1

‎10-26-2011 08:16 AM

Guys,

Thank you for your input. I seem to have poorly explained the problem here. The last solution, blocking in DHCP based on Vendor MAC, seems to be what I'm looking for.

The main problem we are experiencing this with, is the Guest access. Users with thier wifi turned on on thier phones, will automatically tunnel through to DHCP over the Guest SSID, and pick up an IP, but then not do anything (proceed to the authentication page) because they aren't trying to connect it's just the phones doing it.

We currently are using infoblox for serving DHCP IP's, and the wireless network has it's own DHCP range that's served to all wireless users (guest and other ssid's).

I looked at the configurations in infoblox and didn't really see where I can do that, but I'm sure there's a way, so I'm going to reach out to infoblox and see if their support can assist.

Thank you all for your responses,

Sam

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card