We're using Catalyst 9800 cont. and 801.x peap with ldap username on one of ssid profile. Unfortunately ,some users gave their credentials to others and they logon same username/password.
Actually profile has wpa2/wpa3 , 802.1x, aes settings also on AAA tab i'm using NPS server for authentication for ldap users on active directory. This ssid only using for users own android/ios devices internet connection because of this i prefer peap/mschapv2 (on NPS policy) instead of eap/tls.
The NPS server may be able to have a policy created locking the number of logins down to X number of devices, alternatively it may allow you to do some MFA so the user has to accept the connection (although this would also impact good users).
Management enforcing it and when caught breaching the corporate IT policy issuing disciplinary action against them, word will spread.
EAP-TLS/ EAP-TEAP and certificates are really the only way to prevent it.
*****Help out other by using the rating system and marking answered questions as "Answered"***** *** Please rate helpful posts ***
Learn, share, save
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
