cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3815
Views
16
Helpful
12
Replies

How to avoid none domain computers to login to the wireless

Babak KHorshid
Level 1
Level 1

Hi, please help its killing me! Its not pure Cisco but Im sure you guys might have some solution in your mind. 

 

I want only domain computers plus one OU (Staff) be able to connect to our network. I am trying to restrict Mobile Phones (iphone and android) and personal laptops from connecting to our wireless network.

We use a windows based NPS.  it is currently set to allow anyone to connect with their domain computer OR Domain username.

So to the Network Policy I added "Domain Computers" (using "Windows Groups", I also tried "Machine Groups") within the Conditions tab.

I tested to see if a laptop could still connect and it could not.

I have tried many many different combinations within the conditions tab to try and get this working but to no avail.

1. just having "domain computers" (either windows or machine groups)
2. having domain users and domain computers (with all combinations of windows/machine/users groups)
3. I even tried Operating system conditions

These are all set in "And" values, if set to OR (in combination with Domain Users) then the laptop connects, but then so does the phone.

Regards?

12 Replies 12

Saurav Lodh
Level 7
Level 7

To blacklist android and iphone, you can profile the endpoint devices and based on profiling data you can create authorization rules
 

Hi Saurav Thanks for the answer Im not an advanced user with wlc. Can u please explain more about profiling the endpoints device? How to do that and authorization rules? Very much appreciated

In my opinion the way you only allow domain device access to the network is you need to install something on the box.

 

mdm 

certificate eap-tls

agent 

 

profiling will not get you there accurately ..

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Hi

i managed to setup local profiling but the problem is wlc seem to not correctly detect the endpoints! I chosed Samsung phones and Android os but its not recognizing it. Ipad works but iphones nah!

anyone with any comments appriciated because i really need to block the phones. Wlc seems not have the mac wildcard feature other wise i try to create a mac wildcard acl

Scott Fella
Hall of Fame
Hall of Fame

Use machine authentication and push a GPO to change the domain machine wireless profile to authenticate using machine only. Then change your radius policy to point to your computer OU.  This will only allow domain computers to join.

-Scott

-Scott
*** Please rate helpful posts ***

Hi Scott

thanks for the answer and im going to do as what u said. On my test the radius was set to computer only but the wireless profile was set to user or computer. I'm Going to test that and update u the reasult

out of intrest, when user try to login to windows, it uses the credentials to authenticate with wireless and connects. Thats why we see the username in wlc. What would be the case when its only machine? The domain computer would be checked with the OU and then it gets connected? The computer name will be listed in wlc? Then the domain computers are always connected before the user even log on? 

 

Thanks and many thanks

No It doesn't work! it only works if there is Username factor involved otherwise with any combination of computer doesn't work :(

With machine authentication, you can't use User or Computer, you need to only use Computer.  Domain machines will be in the machine OU and your policy should only point to the computer OU. Do not have another policy either that has the user group OU or else it will not work, or else you can have another policy before the machine policy to deny access to the user group.

-Scott

-Scott
*** Please rate helpful posts ***

Scoot,

 

Can you comment how you seen this deployed in the real world ? Sounds like a challenge when you have BYOD etc ..

 

This is why I say cert everything that you want enterprise access. 

 

Any feedback ?

 

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

George,

I see that I'm still being called Scoot:)

Any who.... machine authentication works well, when the requirement is strictly for domain computers only.  This is not for BYOD at all and for that, it is then best to use certs on the client side and EAP-TLS policy on the radius.  Customer needs to have a solid PKI infrastructure in place for EAP-TLS or else, it may cause more issue later on.  K-12 and other verticals, like the use of machine authentication more than EAP-TLS due to not having a PKI or technical expertise on managing the PKI.  GPO makes it easy to change the domain computer profiles, but again, GPO works with domain machines.  If you use ISE or ClearPass to onboard devices, that does make it simpler for the IT staff per say as the certificate can be generated from ISE/ClearPass.  

-Scott

-Scott
*** Please rate helpful posts ***

You're Scoot because we love ha !   +5 

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

I have got somewhere!!! the problem is Im not so confidence about it! 

Firstly thanks everyone. specially Scott. 

now

I set the NPS policy to be "Computer Domain" & "Staff OU" then on the Wireless group policy I set it only for " Computer domain". All authenticated users can logon to our domain laptops. no one can connect to the our network with phones or etc devices because they r not joined to the domain. those special people's phones and devices still can connect to the network if their user is in  "Staff OU" 

I gave up on Cisco! I created a ghost Vlan and tried to use "Local Profiling" to put whatever android or iphone devices available on that ghost vlan and result in disconnecting them but the device is so stupid which couldn't recognize android and iphones! it worked for only ipads but the rest wasn't recognizable by Cisco WLC. 

Review Cisco Networking for a $25 gift card