How to prevent WIFI users from using hotspot

W-ALI · ‎07-25-2022

Hello

I have WLC AIR-AP1815I-I-K9 , the authentication WPA2Personal+ Mac-filter

and created the VLAN of WiFi users on Firewall & passing to FMC 6.4.0.4,

I found some users sharing the internet by hotspot from laptops & Mobiles,

does there any solution to prevent that?

Thank in advance.

Leo Laohoo · ‎07-25-2022

@W-ALI wrote:

I found some users sharing the internet by hotspot from laptops & Mobiles,

Depends on what country you are in.

But legally, no. You cannot.

Marriott Fined $600,000 For Jamming Guest Hotspots

W-ALI · ‎07-25-2022

thanks @Leo Laohoo for your reply

our company policy prevent any employ to sharing any DATA with unauthorized user or device and all employees signed for that , because that's illegally to use company resource without approval, even the internet by hotspot, that's effect to company internet performance & security network.

Leo Laohoo · ‎07-25-2022

@W-ALI wrote:

because that's illegally to use company resource without approval, even the internet by hotspot, that's effect to company internet performance & security network.

Make sure internet access is not allowed. Across the board.

Make sure the glass windows are "low-e". This will block anything wireless.

W-ALI · ‎07-25-2022

@Leo Laohoo

the WIFI users must access the internet , I can't deny that, his works depended on internet.

already there's Domain policy to disable the Hotspot option for laptops which joined domain, but we can't find any solution for mobile.

Leo Laohoo · ‎07-25-2022

@W-ALI wrote:

the WIFI users must access the internet , I can't deny that, his works depended on internet.

Well, this contradicts company policy then.

W-ALI · ‎07-26-2022

@Leo Laohoo

unknown device or unauthorized user who use WiFi this contradicts company policy

Leo Laohoo · ‎07-26-2022

@W-ALI wrote:

unknown device or unauthorized user who use WiFi

Well, no. That is not correct.

If a person logs into the corporate SSID, that person is authorized to use the WiFi.

If a person signs up for free WiFi, then that person is authorized to use the WiFi.

The thing is, if the company really wants to "police" the policy, then WiFi is not the answer. A firewall and proxy server is the answer.

W-ALI · ‎07-26-2022

that's correct @Leo Laohoo

but what happened, the person logs into the corporate SSID, that person is authorized to use the WiFi , but he share the internet by hotspot to his coworker who not authorized to use WIFI.

Leo Laohoo · ‎07-26-2022

@W-ALI wrote:

but he share the internet by hotspot to his coworker who not authorized to use WIFI.

That is good.

This only proves the problem is not a technology issue but a policy issue.

This has been demonstrated over and over again when users want something and management refuses. They either do something like this or similar, like bringing hubs into the corporate network.

Rich R · ‎07-26-2022

Like Leo said you can potentially solve this problem by allowing internet access via proxy only from authorised devices only.
But ultimately this is bad policy and design. Just provide an open guest SSID for users to connect their own devices to, otherwise they will just keep circumventing your controls as you've discovered and as fast as you close loopholes they'll find new ones.
And if you're still insisting on trying to control your users then it is possible to use MDM to apply policies to practically any device but users probably won't allow you to control their personal devices so that's unlikely to help you much.
Just move into the 21st century and let your users access WiFi - needs a rethink on policy by senior management who often try to apply 20 year old policies in an age where everyone expects to have WiFi/internet all the time.
That will ultimately save you time and effort and make your corporate network more secure because personal devices will be separated. All you need is an "acceptable use policy" with content filtering to ensure no blatant misuse for unacceptable content but content filtering can be circumvented too so that should then be dealt with by HR based on the AUP.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

W-ALI · ‎07-26-2022

Thanks @Rich R for your input,

I agree with you , but the situation different from company to company depend on policy & work environment ,especially when that related with high confidential DATA & work with +1300 employees ,

by default must block anything and permit just needed , that's recommended by security audit and we are forced to do it In order for the company to obtain quality certificates for network & security.

thanks again for your input I appreciate that

Philip D'Ath · ‎07-26-2022

>especially when that related with high confidential DATA

It sounds to me like you don't have the appropriate tools and processes in place to be safe.

If you are worried about protecting highly confidential data then you should (at a minimum) have a DLP solution in place. Specifically, if you are in a Microsoft world, you should be looking at Information Rights management. This allows you to control specifically who can access data, and it does not matter where that person is located. If an employee emailed/sent IRM protected data to an outside party - that party could not use the data. If you had an information disclosure, you can withdraw access to that data.

https://support.microsoft.com/en-us/office/open-a-file-that-has-restricted-permissions-c7a70797-6b1e-493f-acf7-92a39b85e30c#:~:text=Information%20Rights%20Management%20(IRM)%20helps,authenticated%20by%20an%20IRM%20server.

Currently, what is your plan if some of this data is breached (and it will be breached, it is just a matter of when)?

Secondly, you need to look at ways to limit access to core apps (such as Office 365) to corporate-owned (or approved devices only). You can do this using Azure AD Premium P1 (or better) and Intune, or my preference, Cisco Duo (using the beyond plan) and a trusted device policy. This also allows the system to prevent access to sensitive systems from a compromised device. And it specifically allows you to say systems can only be accessed from an approved device (so an outside party would not be able to access your systems, even with a user's username and password).
https://duo.com/docs/trusted-endpoints

What currently is your plan to prevent access to your data from untrusted or compromised devices?

You should also be using "label" management to classify data. Then you can create rules to say things like "highly sensitive" data may never leave your network. "Sensitive" data may only leave with a managers approval. Etc. You decide your own requirements and rules.
https://docs.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels?view=o365-worldwide

You can Google "Zero Trust" if you want to learn more about these general concepts.

At least this is what I do with my clients to keep them safe. Once you have appropriate controls, systems and tools in place - Internet access isn't such a threat. You aren't having to 100% rely on your perimeter as your ownly line of defence - it's just a layer of protection in a multi-facet approach to data security.

W-ALI · ‎07-26-2022

Million thanks @Philip D'Ath for your post, really it's amazing and It contains very important and wonderful tips,
I agree totally with you,

as you know , there is a specific financial budget for the IT department and should not exceed it,
The highest protection must be provided at the lowest cost,This is the management policy in most companies.
The IT administrator always tries to provide highest service and protection with lowest cost to obtains the satisfaction of the management.

technically, already There's security policy with high restrict for the PCs applied by Microsoft Domain & Cisco Devices plus high system for monitor tools,
however ,as you know, there is no final limit to security, no 100% security ,
We just try to do the best we can with the possibilities available.

Thank you so much to you and all the geniuses in this wonderful community
all of them an important source of information for us to learn more.

JPavonM · ‎07-27-2022

For Windows laptops you can create a policy to disable sharing connection (https://www.tenforums.com/tutorials/106796-enable-disable-mobile-hotspot-windows-10-a.html). Unfortunately for mobile devices the only option is to use a MDM solution.

In parallel, you can also disable connection to unknown networks using GPO, so you can whitelist the only SSIDs that are safe to use, but this option limits teleworking.

HTH