03-02-2020 03:16 AM - edited 07-05-2021 11:47 AM
Hi,
i got several WLCs with several SSID. I noticed that, with a smartphone you can connect to our enterprise SSID and share the connectivity like tethering. We use WPA2 enterprise with cisco ISE acting as an authentication and authorization server. I'd like to avoid this behaviour, is there a way to do that? i see we can limit the number of clients but it's not applied to my case
Thanks,
Michele
Solved! Go to Solution.
03-02-2020 11:53 AM
Hi,
You have the following technical option to fix this:
- have a corporate SSID for corporate non-mobile devices, which need access to more resources on the network and Internet; use non-exportable certificates for 802.1x, so that non-corporate laptops cannot be used on this SSID
- have a corporate SSID for corporate mobile devices, use likewise certificates for 802.1x (if you use username and passwords, users may share it with other people, even though security policy may state otherwise), but restrict their networking access to only what they need to; if you allow them internet access, they may still do tethering so consider not to; if you don't allow them Internet access, they'll complain
- have an Internet only SSID for non-corporate mobile devices and guests, access based on username/password, which are acquired on demand, non-existing before request
Regards,
Cristian Matei.
03-02-2020 07:15 AM
My instinct is going to be no, you can't stop it. Devices doing tethering are going to be acting as a NAT router, so you're only ever going to see one Mac address.
I'd consider this to be more a policy issue than a technical one. Make it clear that sharing is not allowed, but as it's 802.1x then you know who the user is if you see any misbehaviour. You can then sanction that user as they're responsible for anything happening under their username.
03-02-2020 08:00 AM
how do you know if they are using their private phone?
03-02-2020 11:53 AM
Hi,
You have the following technical option to fix this:
- have a corporate SSID for corporate non-mobile devices, which need access to more resources on the network and Internet; use non-exportable certificates for 802.1x, so that non-corporate laptops cannot be used on this SSID
- have a corporate SSID for corporate mobile devices, use likewise certificates for 802.1x (if you use username and passwords, users may share it with other people, even though security policy may state otherwise), but restrict their networking access to only what they need to; if you allow them internet access, they may still do tethering so consider not to; if you don't allow them Internet access, they'll complain
- have an Internet only SSID for non-corporate mobile devices and guests, access based on username/password, which are acquired on demand, non-existing before request
Regards,
Cristian Matei.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide