cancel
Showing results for 
Search instead for 
Did you mean: 

Restrict WLAN usage to certain laptops

b_g
New Contributor II

We've set up a few dozen AP together with Cloudpath and an onsite vSZ. We have configured an internal WLAN that should only be used by employees with their company laptops. So far, users can access this WLAN by using their AD credentials (authentication is done via SZ and NPS server). Cloudpath is only used for our guest WLAN.

Unfortunately, every user can also connect their mobile phones or private laptops to that particular WLAN. To prevent this I thought about using machine certificates. How do I best implement that? Or is there a better solution for that problem?

1 ACCEPTED SOLUTION

b_g
New Contributor II

Because our laptops are not AD joined and we don't know how big the effort would be to install a CA, create and distribute certificates, we will most probably go with MAC authentication. I've tested this and it works as expected. Downside is management effort since every client needs to have an user account in AD.

View solution in original post

7 REPLIES 7

eizens_putnins
Valued Contributor II

It's always same old problem. Simpliest way -- situation is for 99% resolvable setting device OS policy to deny iOS + Android phones (don't use "allow only Windows", as after some update you'll get complaints that Windows laptops can't access network).

Also if you use Radius with user certificate authentication, which are provisioned automaticlaly, there will be no problems with phones too.

Of cause, you can use double authentication - machine+user, but it is more cumbersome.

b_g
New Contributor II

Unfortunately, this would prevent mobile phones to connect but not private Windows laptops.

garrett_collier
New Contributor III

I think I asked the same question as you, using different words. You appear to be using similar components as we are. Please take a look at my post and see if it fits your use-case: https://forums.ruckuswireless.com/conversations/smartzone-and-virtual-smartzone/smartzone-aaa-wlan-a...

b_g
New Contributor II

Because our laptops are not AD joined and we don't know how big the effort would be to install a CA, create and distribute certificates, we will most probably go with MAC authentication. I've tested this and it works as expected. Downside is management effort since every client needs to have an user account in AD.