Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
703
Views
10
Helpful
4
Replies

Excluding Mobile Devices from Joining WLAN

Go to solution
Dominic Zeni
Level 5
Level 5

‎12-09-2010 05:55 PM - edited ‎07-03-2021 07:31 PM

Hello,

Is it possible to exclude mobile devices from joining a WLAN configured for PEAP-MSCHAPv2 if they have a valid username and password?  Specifically we want to prevent iPhones, iPods, iPads, and iWhatevers from joining the network.  An example being a corporate employee with a valid account on the domain who has a personal iPad.  He gets to work, fires up his iPad, see's the corporate WiFi network (which is being broadcast), and types in his username/pw to gain access (ignores the certificate warning).  I can't think of any way to get around this with PEAP-MSCHAPv2.

Any ideas would be appreciated.

Thanks,

Dom

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Surendra BG
Cisco Employee
Cisco Employee

‎12-09-2010 06:00 PM

PEAP MS-CHAP V2 with MAC filtering is the one which is coming to my mind.. overhead, you need to get the MAC of each laptop..

Regards

Surendra

===

Please rate the posts which answered your quiestion or was helpfull

Regards
Surendra BG

View solution in original post

Go to solution
Tiago Antunes
Cisco Employee
Cisco Employee
In response to Dominic Zeni

‎12-10-2010 01:45 AM

Hi,

If you ar using a RADIUS server like ACS and AD, you can use MAR (Machine Access Restriction).

This feature available in ACS allows you to enforce machine authnetication and users can only login from authorized machines.

Example:

In AD you have the DB of all the machines registered to the domain.

Users can only login to machines that belong to the domain and that had previously passed machine authentication.

Documentation:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2.1/User_Guide/UsrDb.html#wp354105.

HTH,

Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

View solution in original post

4 Replies 4

Go to solution
Surendra BG
Cisco Employee
Cisco Employee

‎12-09-2010 06:00 PM

PEAP MS-CHAP V2 with MAC filtering is the one which is coming to my mind.. overhead, you need to get the MAC of each laptop..

Regards

Surendra

===

Please rate the posts which answered your quiestion or was helpfull

Regards
Surendra BG

Go to solution
Dominic Zeni
Level 5
Level 5
In response to Surendra BG

‎12-09-2010 06:09 PM

Yeah, that would work.  Not excited about the overhead (+5,000 wireless clients)...

You are the winner unless there is another great idea!

Anyone else?

0 Helpful

Go to solution
Tiago Antunes
Cisco Employee
Cisco Employee
In response to Dominic Zeni

‎12-10-2010 01:45 AM

Hi,

If you ar using a RADIUS server like ACS and AD, you can use MAR (Machine Access Restriction).

This feature available in ACS allows you to enforce machine authnetication and users can only login from authorized machines.

Example:

In AD you have the DB of all the machines registered to the domain.

Users can only login to machines that belong to the domain and that had previously passed machine authentication.

Documentation:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2.1/User_Guide/UsrDb.html#wp354105.

HTH,

Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Go to solution
Dominic Zeni
Level 5
Level 5
In response to Tiago Antunes

‎12-10-2010 08:49 AM

Thanks, Tiago.  This would be a much better approach for us.  Unfortunately the authentication server is Microsoft IAS.  I doubt that they implement such a feature.  This may be a good approach for getting ACS in there!  I think your answer is correct.  I am going to confirm my doubts about Microsoft IAS not having such a feature.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card