cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1797
Views
4
Helpful
5
Replies

Prevent Password Sharing using QRCode

AhmadZ
Level 1
Level 1

Dear All,

I have some Cisco Access Points, where one of these APs is a controller. I have several SSIDs configured, but users are being able to user their phones to generate QRCodes for the SSIDs and share passwords with others. What's the best practice to stop such using the Cisco WiFi Controller settings.

Thanks!

5 Replies 5

Hello

 If you are using PSK for authentication I dont believe you can do anything. This is just the phone transferring the password to another phone. 

What you can do is change the authentication method to something else like portal or radius. Or, you can use mac address filter if you have control over the device you need to server.

I'm thinking of using for example a certificate based authentication, so anyone that needs to connect to such SSID must have the certificate installed on his phone. Or maybe a RADIUS server as you said in order for them to authenticate using a username and password. But I have a question regarding the certificate solution, what's the best practice for such?

Thanks! 

First of all are those devices under your administration ?  Certificate is always the best option if you manage the end user devices. Then you can use some platform in order to install certificates like MDM.

  But, If you do not manage the device (BYOD) then is a different situation. On this case your challenge is bigger and you should think about a guest network with portal. 

  

end user devices are employees devices, I don't know how much this could be applicable and effective. Can you please explain more technically regarding both scenarios? Thanks!

If they are employees them it can be easier. You need to have the Radius server, would be great if you have Cisco ISE but it is not required and you need to get a tools to manage mobile devices in order to install certificate. There are many out there. 

 After that you need to create the configuration on the Radius, on the WLC, install certificates and that's it. 

 Here in the community there will be plenty of material related to this scenario.  This link is just one example.

https://community.cisco.com/t5/security-knowledge-base/cisco-ise-byod-prescriptive-deployment-guide/ta-p/3641867

 

 

Review Cisco Networking for a $25 gift card