02-17-2015 07:36 PM - edited 07-05-2021 02:31 AM
Hi, please help its killing me! Its not pure Cisco but Im sure you guys might have some solution in your mind.
I want only domain computers plus one OU (Staff) be able to connect to our network. I am trying to restrict Mobile Phones (iphone and android) and personal laptops from connecting to our wireless network.
We use a windows based NPS. it is currently set to allow anyone to connect with their domain computer OR Domain username.
So to the Network Policy I added "Domain Computers" (using "Windows Groups", I also tried "Machine Groups") within the Conditions tab.
I tested to see if a laptop could still connect and it could not.
I have tried many many different combinations within the conditions tab to try and get this working but to no avail.
1. just having "domain computers" (either windows or machine groups)
2. having domain users and domain computers (with all combinations of windows/machine/users groups)
3. I even tried Operating system conditions
These are all set in "And" values, if set to OR (in combination with Domain Users) then the laptop connects, but then so does the phone.
Regards?
02-18-2015 02:54 AM
To blacklist android and iphone, you can profile the endpoint devices and based on profiling data you can create authorization rules
02-18-2015 03:07 AM
02-20-2015 05:25 AM
In my opinion the way you only allow domain device access to the network is you need to install something on the box.
mdm
certificate eap-tls
agent
profiling will not get you there accurately ..
02-20-2015 02:31 AM
Hi
i managed to setup local profiling but the problem is wlc seem to not correctly detect the endpoints! I chosed Samsung phones and Android os but its not recognizing it. Ipad works but iphones nah!
anyone with any comments appriciated because i really need to block the phones. Wlc seems not have the mac wildcard feature other wise i try to create a mac wildcard acl
02-20-2015 05:41 AM
Use machine authentication and push a GPO to change the domain machine wireless profile to authenticate using machine only. Then change your radius policy to point to your computer OU. This will only allow domain computers to join.
-Scott
02-20-2015 11:16 PM
Hi Scott
thanks for the answer and im going to do as what u said. On my test the radius was set to computer only but the wireless profile was set to user or computer. I'm Going to test that and update u the reasult
out of intrest, when user try to login to windows, it uses the credentials to authenticate with wireless and connects. Thats why we see the username in wlc. What would be the case when its only machine? The domain computer would be checked with the OU and then it gets connected? The computer name will be listed in wlc? Then the domain computers are always connected before the user even log on?
Thanks and many thanks
02-22-2015 10:19 PM
No It doesn't work! it only works if there is Username factor involved otherwise with any combination of computer doesn't work :(
02-23-2015 04:14 AM
With machine authentication, you can't use User or Computer, you need to only use Computer. Domain machines will be in the machine OU and your policy should only point to the computer OU. Do not have another policy either that has the user group OU or else it will not work, or else you can have another policy before the machine policy to deny access to the user group.
-Scott
02-23-2015 07:58 AM
Scoot,
Can you comment how you seen this deployed in the real world ? Sounds like a challenge when you have BYOD etc ..
This is why I say cert everything that you want enterprise access.
Any feedback ?
02-23-2015 08:28 AM
George,
I see that I'm still being called Scoot:)
Any who.... machine authentication works well, when the requirement is strictly for domain computers only. This is not for BYOD at all and for that, it is then best to use certs on the client side and EAP-TLS policy on the radius. Customer needs to have a solid PKI infrastructure in place for EAP-TLS or else, it may cause more issue later on. K-12 and other verticals, like the use of machine authentication more than EAP-TLS due to not having a PKI or technical expertise on managing the PKI. GPO makes it easy to change the domain computer profiles, but again, GPO works with domain machines. If you use ISE or ClearPass to onboard devices, that does make it simpler for the IT staff per say as the certificate can be generated from ISE/ClearPass.
-Scott
02-23-2015 07:29 PM
You're Scoot because we love ha ! +5
02-23-2015 05:23 PM
I have got somewhere!!! the problem is Im not so confidence about it!
Firstly thanks everyone. specially Scott.
now
I set the NPS policy to be "Computer Domain" & "Staff OU" then on the Wireless group policy I set it only for " Computer domain". All authenticated users can logon to our domain laptops. no one can connect to the our network with phones or etc devices because they r not joined to the domain. those special people's phones and devices still can connect to the network if their user is in "Staff OU"
I gave up on Cisco! I created a ghost Vlan and tried to use "Local Profiling" to put whatever android or iphone devices available on that ghost vlan and result in disconnecting them but the device is so stupid which couldn't recognize android and iphones! it worked for only ipads but the rest wasn't recognizable by Cisco WLC.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide