Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1346
Views
0
Helpful
3
Replies

port security applied to wifi

Go to solution
Michele Toblini
Level 1
Level 1

‎03-02-2020 03:16 AM - edited ‎07-05-2021 11:47 AM

Hi,

i got several WLCs with several SSID. I noticed that, with a smartphone you can connect to our enterprise SSID and share the connectivity like tethering. We use WPA2 enterprise with cisco ISE acting as an authentication and authorization server. I'd like to avoid this behaviour, is there a way to do that? i see we can limit the number of clients but it's not applied to my case

 

Thanks,

 

Michele

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni
In response to Michele Toblini

‎03-02-2020 11:53 AM

Hi,

 

      You have the following technical option to fix this:

                - have a corporate SSID for corporate non-mobile devices, which need access to more resources on the network and Internet; use non-exportable certificates for 802.1x, so that non-corporate laptops cannot be used on this SSID

               - have a corporate SSID for corporate mobile devices, use likewise certificates for 802.1x (if you use username and passwords, users may share it with other people, even though security policy may state otherwise), but restrict their networking access to only what they need to; if you allow them internet access, they may still do tethering so consider not to; if you don't allow them Internet access, they'll complain

               - have an Internet only SSID for non-corporate mobile devices and guests, access based on username/password, which are acquired on demand, non-existing before request

 

Regards,

Cristian Matei.

        

View solution in original post

0 Helpful
3 Replies 3

Go to solution
jturner2720
Level 1
Level 1

‎03-02-2020 07:15 AM

My instinct is going to be no, you can't stop it. Devices doing tethering are going to be acting as a NAT router, so you're only ever going to see one Mac address.

 

I'd consider this to be more a policy issue than a technical one. Make it clear that sharing is not allowed, but as it's 802.1x then you know who the user is if you see any misbehaviour. You can then sanction that user as they're responsible for anything happening under their username.

0 Helpful

Go to solution
Michele Toblini
Level 1
Level 1
In response to jturner2720

‎03-02-2020 08:00 AM

how do you know if they are using their private phone? 

0 Helpful

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni
In response to Michele Toblini

‎03-02-2020 11:53 AM

Hi,

 

      You have the following technical option to fix this:

                - have a corporate SSID for corporate non-mobile devices, which need access to more resources on the network and Internet; use non-exportable certificates for 802.1x, so that non-corporate laptops cannot be used on this SSID

               - have a corporate SSID for corporate mobile devices, use likewise certificates for 802.1x (if you use username and passwords, users may share it with other people, even though security policy may state otherwise), but restrict their networking access to only what they need to; if you allow them internet access, they may still do tethering so consider not to; if you don't allow them Internet access, they'll complain

               - have an Internet only SSID for non-corporate mobile devices and guests, access based on username/password, which are acquired on demand, non-existing before request

 

Regards,

Cristian Matei.

        

0 Helpful
Review Cisco Networking for a $25 gift card
Top