cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
540
Views
10
Helpful
4
Replies
Dominic Zeni
Contributor

Excluding Mobile Devices from Joining WLAN

Hello,

Is it possible to exclude mobile devices from joining a WLAN configured for PEAP-MSCHAPv2 if they have a valid username and password?  Specifically we want to prevent iPhones, iPods, iPads, and iWhatevers from joining the network.  An example being a corporate employee with a valid account on the domain who has a personal iPad.  He gets to work, fires up his iPad, see's the corporate WiFi network (which is being broadcast), and types in his username/pw to gain access (ignores the certificate warning).  I can't think of any way to get around this with PEAP-MSCHAPv2.

Any ideas would be appreciated.

Thanks,

Dom

2 ACCEPTED SOLUTIONS

Accepted Solutions
Surendra BG
Cisco Employee

PEAP MS-CHAP V2 with MAC filtering is the one which is coming to my mind.. overhead, you need to get the MAC of each laptop..

Regards

Surendra

===

Please rate the posts which answered your quiestion or was helpfull

Regards
Surendra BG

View solution in original post

Hi,

If you ar using a RADIUS server like ACS and AD, you can use MAR (Machine Access Restriction).

This feature available in ACS allows you to enforce machine authnetication and users can only login from authorized machines.

Example:

In AD you have the DB of all the machines registered to the domain.

Users can only login to machines that belong to the domain and that had previously passed machine authentication.

Documentation:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2.1/User_Guide/UsrDb.html#wp354105.

HTH,

Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

View solution in original post

4 REPLIES 4
Surendra BG
Cisco Employee

PEAP MS-CHAP V2 with MAC filtering is the one which is coming to my mind.. overhead, you need to get the MAC of each laptop..

Regards

Surendra

===

Please rate the posts which answered your quiestion or was helpfull

Regards
Surendra BG

View solution in original post

Yeah, that would work.  Not excited about the overhead (+5,000 wireless clients)...

You are the winner unless there is another great idea!

Anyone else?

Hi,

If you ar using a RADIUS server like ACS and AD, you can use MAR (Machine Access Restriction).

This feature available in ACS allows you to enforce machine authnetication and users can only login from authorized machines.

Example:

In AD you have the DB of all the machines registered to the domain.

Users can only login to machines that belong to the domain and that had previously passed machine authentication.

Documentation:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2.1/User_Guide/UsrDb.html#wp354105.

HTH,

Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

View solution in original post

Thanks, Tiago.  This would be a much better approach for us.  Unfortunately the authentication server is Microsoft IAS.  I doubt that they implement such a feature.  This may be a good approach for getting ACS in there!  I think your answer is correct.  I am going to confirm my doubts about Microsoft IAS not having such a feature.

Content for Community-Ad