Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
2643
Views
29
Helpful
6
Replies

stop QR code user passowrd sharing Embedded wireless controller

adeebtaqui
Level 4
Level 4

‎01-30-2023 01:50 AM

Greetings to everyone

 

How to stop QR code user passowrd sharing for wlan wifi users on GUI of Embedded wireless controller?

1 person had this problem
0 Helpful
6 Replies 6

marce1000
Hall of Fame
Hall of Fame

‎01-30-2023 01:57 AM

 

 - A broad topic : you will need additional authentication schemes and or factors , check this thread for a discussion on that : https://community.ui.com/questions/Need-to-stop-users-sharing-WiFi-password-using-qr-code-from-mobile/cc10f026-40d5-4ed9-85d1-6af8253c2d2a

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Rich R
VIP
VIP

‎01-30-2023 09:33 AM

If you use a pre-shared key you cannot stop people sharing it - that's an inherent risk with PSK.

You will need to use 802.1x with unique user IDs and 2FA to ensure that access can't be shared or certificate based authentication but that's more difficult to do on BYOD devices.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Arshad Safrulla
VIP Alumni
VIP Alumni

‎01-30-2023 01:41 PM

On top of what others recommended you can also disable Layer 2 authentication and rely on Layer 3 authentication using a captive portal with local authentication on the EWC.  This is the easiest way to solve the problem without adding much complexity, however I would still prefer what @Rich R has suggested as those methods are considered gold standard when it comes to wireless security.

https://www.cisco.com/c/en/us/td/docs/wireless/controller/ewc/17-6/config-guide/ewc_cg_17_6/wireless_web_authentication.html#ID114

 

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

Zahid MEHMOOD
Level 1
Level 1

‎10-10-2023 11:42 PM

Turn on MAC filtering Access it will surely stop Wifi password from being shared.

0 Helpful

JPavonM
VIP
VIP

‎10-11-2023 01:41 AM

MAC filtering only increment the Administrative tasks, and do not add real security (for advanced users).

Rich R
VIP
VIP
In response to JPavonM

‎10-11-2023 01:59 AM

Exactly!
Even before private MAC address anybody with the technical knowledge could change their client MAC.
Since Private MAC address, frequently changing random MAC addresses, is now a standard feature in almost all OS. 
And MAC filtering is not "secure" for the same reason - any user can fake an allowed MAC address.  Obviously it will cause a problem if 2 users try to use the same MAC at the same time but the point is that it is not secure and it will not stop people sharing the key.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
Review Cisco Networking for a $25 gift card
Top