cancel
Showing results for 
Search instead for 
Did you mean: 

Restrict WLAN usage to certain laptops

b_g
New Contributor III

We've set up a few dozen AP together with Cloudpath and an onsite vSZ. We have configured an internal WLAN that should only be used by employees with their company laptops. So far, users can access this WLAN by using their AD credentials (authentication is done via SZ and NPS server). Cloudpath is only used for our guest WLAN.

Unfortunately, every user can also connect their mobile phones or private laptops to that particular WLAN. To prevent this I thought about using machine certificates. How do I best implement that? Or is there a better solution for that problem?

1 ACCEPTED SOLUTION

b_g
New Contributor III

Because our laptops are not AD joined and we don't know how big the effort would be to install a CA, create and distribute certificates, we will most probably go with MAC authentication. I've tested this and it works as expected. Downside is management effort since every client needs to have an user account in AD.

View solution in original post

7 REPLIES 7

garrett_collier
New Contributor III

If you have more than 128 devices, you will run up against that limitation, just fyi.

b_g
New Contributor III

I've stumpled across that limitation somewhere in the forums or manuals. However, I'm not implementing the ACL on SmartZone but with RADIUS and an AD account for each MAC address. So there should be no limitation on the number of addresses.

eizens_putnins
Valued Contributor II

Hello,

So you have MS AD, but no PKI installed, and want to prevent employees to connect private devices to the network. 

The most secure way would be to use certificates for authentication (both user and machine), but for that you need to install PKI and distribute certificates. It is a standard corporate setup, you can find step by step guides how to do it. But if company isn't that big, it may be a lot of work for not that much result.

You can get similar limitations using MAC filtering, but it is not actually secure, and  not that convenient too.

Probably the simplest way would be to use DPSK, which is somewhere in between and is easy manageable.