WLAN Authentication - Limit AD ID to specific WLANs

sejamc71 · ‎09-18-2023

We have a 9800-L WLC, running 3 main WLANs.

Employee production - Internal resources and Internet Access,

Guest - Internet Access only, ACLs in place to block all access to internet resources

Mac Filtering - Mac Address list + PSK, for printers, RF Guns, Tablets, and essentially anything that is not a person that needs wireless access to the internet and internal resources.

Today, our Client Support has enabled wireless access for the majority of IDs. This means that I can use xxx to connect to the employee wireless. Now I can use that on my work computer, byod or my cell phone. I want to be able to limit an Active Directory ID to only be able to connect to a specific WLAN. There are a few ways to do this, some way more complex than others.

here is what I have in place today.

Cisco 9800-L controller, Windows server running NPS - Radius agent. I do not have Cisco ISE. Has anyone been able to do this or has anyone done this? What is the best method? Tips/Tricks?

balaji.bandi · ‎09-18-2023

I want to be able to limit an Active Directory ID to only be able to connect to a specific WLAN.

if you looking to WLAN (Employee production - Internal resources and Internet Access,) to use your AD authentication you need to enable Radius and use your AD account as authentication mechanism

most case people use certs(local PKI) and ad authentication.

some examples :

https://howiwifi.com/2020/07/21/cisco-9800-802-1x-eap-user-authentication-with-windows-radius-nps/

https://howiwifi.com/2020/04/08/cisco-9800-802-1x-eap-tls-using-windows-server-ca-and-nps/

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

JPavonM · ‎09-19-2023

This is how I do it with MS NPS:
- Enroll corporate laptops into the AD
- Deploy an internal certificate to all laptops
- Add all corporate laptops to a given AD Group
- Tune the MS NPS policy like:
-- Condition#1: "Machine Groups" == Add your Corp Laptops AD Groups here
-- Condition#2: "Called-station-ID" == ".*:YOURSSIDHERE"
-- Constraint#1: "Authentication Methods" == PEAP or SmartCard/Certificate using the internally signed certificate used by laptops.

On the laptops side, deploy a GPO with the current settings for YOURSSID with machine authentication and the certificate you have deployed.

This way you will prevent external devices to connect to the corporate SSID.

sejamc71 · ‎09-19-2023

Sorry, I don't think I correctly and fully explained my issue. The Employee production wireless is working fine. I am not concerned what device the employee users their personal ID on as all traffic is logged under their name.

My real concern is the generic IDs. Generic IDs are used on Community use computers or special purpose computers. They are also used on Android/Apple Tablets that are not added to our company domain. Since the Generic IDs are in the wireless group, they can connect to wireless. This means, they IDs, since they are able to connect to wireless, can be used on company owned devices as well as personal BYOD type devices since AD only authenticates the ID, not the tablet or phone that it is being used on. Good example, x77002 is set in AD to logon to computer XYZ. But, since it is in the wireless group, it can also be used on non-AD joined devices. Is there a way to stop these generic IDs from being used on non-domained devices.