Solved

Prevent personal devices to connect to corporate Wireless Network

Posted on 2011-03-22
9
1,229 Views
Last Modified: 2012-05-11
I have a CWLC 4402 with 13 Cisco AP1242. I have a situation in my corporate office with the users connecting their none corporate mobile devices (IPAD, iPHONE, etc.) to our wireless corporate network to use the corporate internet to surf.  The WLAN ID that I have configured uses WPA1/WPA 2 and radius server.  They are able to connect and authenticated once they configure their personal devices because they have a corporate AD account.

I’m looking for a solution to prevent users from connecting their personal mobile devices to corporate WLAN network.  One option that I was looking into is enabling MAC filtering for my corporate WLAN but this will require for me to manually enter all wireless MAC address of any corporate laptops that we have. I’m not sure if there is other option and curious to know what other’s are doing to deal with this issue.

Thanks,
db    
 
0
Comment
Question by:db21
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +2
9 Comments
 
LVL 10

Expert Comment

by:Hutch_77
ID: 35189951
This is worth a try.  The first part of the mac address is basically the identifier, you can look up mac's easily it is all over the place, and you may be able to block all macs with this particular mac string.  I have never tried it but it would allow you to block all apple devices, then you just have to deal with BB Android and Windows Phones.  
0
 
LVL 2

Assisted Solution

by:t0dd_sw
t0dd_sw earned 100 total points
ID: 35190032
http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/b555bb0e-79b4-4c05-9a2e-bbb6b5f1b9b2

This might be what you are looking for, assuming that you have a windows domain and the computers that you do want to be allowed to connect are on the domain. I've never tried this myself, but I have a customer that this may help lock things down a bit.
0
 

Author Comment

by:db21
ID: 35190048
Thanks Hutch. that would probably work however we have some corporate Apple, BB, Android devices that need access. these devices MAC address are configured in my MOBILITY WLAN and MAC filtering is enabled. the is sue now is that they can go back to my corporate WLAN and sign in their devices becasue its radius authentication and not MAC.

0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 10

Expert Comment

by:Hutch_77
ID: 35190094
Can't you run both radius and Mac filtering?  That would be m thought I know you can do WPA2/mac filtering,
You could even go as far as filtering on the allowed devices on and all others are not... but this would obviously mean getting the mac for every wireless device on your network and then just adding the mobile devices in as needed?

I know this would be a lot of work up front, but it would be manageable as it would rarely change.
0
 

Author Comment

by:db21
ID: 35190762
Hutch,

you can have both MAC and WPA2 however as you mentioned this will require me to gather all the MAC address we have. I just need to confirm if this is the only solution, im sure other corporation are dealing with the same issue, unless they are just letting users connect their personal mobile devices to the corporate WLAN.

db
0
 
LVL 10

Assisted Solution

by:Hutch_77
Hutch_77 earned 100 total points
ID: 35190861
Ok I see you wern't disagreeing then.  I know most places I've been we used Wpa2 over Radius and did not hand out the password.  Thus only approved devices could get on.
0
 
LVL 32

Accepted Solution

by:
nappy_d earned 200 total points
ID: 35194047
Mac address filtering, in conduction with WPA radius is the best way to keep non corp devices off the Corp network.  A lot of work, but it works.
0
 
LVL 46

Assisted Solution

by:Craig Beck
Craig Beck earned 100 total points
ID: 35207016
Actually, a computer certificate in conjunction with RADIUS is far more secure than MAC filtering with RADIUS, as it is extremely easy to spoof a MAC address.

For machines that aren't on the Windows domain, but are corporate devices, you can enroll to obtain a certificate instead of simply pushing one to clients via GPO.
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 35207024
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In this article we have discussed about the OS X EI Capitan and how to fix Wi-Fi issue in OS X El Capitan. We have explained how to delete system level preferences and create a new Wi-Fi location to resolve Wi-Fi issue.
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question