B

8 Messages

 • 

202 Points

Wed, Jun 16, 2021 1:47 PM

Restrict WLAN usage to certain laptops

We've set up a few dozen AP together with Cloudpath and an onsite vSZ. We have configured an internal WLAN that should only be used by employees with their company laptops. So far, users can access this WLAN by using their AD credentials (authentication is done via SZ and NPS server). Cloudpath is only used for our guest WLAN.

Unfortunately, every user can also connect their mobile phones or private laptops to that particular WLAN. To prevent this I thought about using machine certificates. How do I best implement that? Or is there a better solution for that problem?

Accepted Solution

8 Messages

 • 

202 Points

5 m ago

Because our laptops are not AD joined and we don't know how big the effort would be to install a CA, create and distribute certificates, we will most probably go with MAC authentication. I've tested this and it works as expected. Downside is management effort since every client needs to have an user account in AD.

32 Messages

 • 

682 Points

If you have more than 128 devices, you will run up against that limitation, just fyi.

8 Messages

 • 

202 Points

I've stumpled across that limitation somewhere in the forums or manuals. However, I'm not implementing the ACL on SmartZone but with RADIUS and an AD account for each MAC address. So there should be no limitation on the number of addresses.

477 Messages

 • 

5.9K Points

6 m ago

It's always same old problem. Simpliest way -- situation is for 99% resolvable setting device OS policy to deny iOS + Android phones (don't use "allow only Windows", as after some update you'll get complaints that Windows laptops can't access network).

Also if you use Radius with user certificate authentication, which are provisioned automaticlaly, there will be no problems with phones too.

Of cause, you can use double authentication - machine+user, but it is more cumbersome.

8 Messages

 • 

202 Points

Unfortunately, this would prevent mobile phones to connect but not private Windows laptops.

32 Messages

 • 

682 Points

6 m ago

I think I asked the same question as you, using different words. You appear to be using similar components as we are. Please take a look at my post and see if it fits your use-case: https://forums.ruckuswireless.com/conversations/smartzone-and-virtual-smartzone/smartzone-aaa-wlan-access/60c9fc92c394d5731d05b289

477 Messages

 • 

5.9K Points

5 m ago

Hello,

So you have MS AD, but no PKI installed, and want to prevent employees to connect private devices to the network. 

The most secure way would be to use certificates for authentication (both user and machine), but for that you need to install PKI and distribute certificates. It is a standard corporate setup, you can find step by step guides how to do it. But if company isn't that big, it may be a lot of work for not that much result.

You can get similar limitations using MAC filtering, but it is not actually secure, and  not that convenient too.

Probably the simplest way would be to use DPSK, which is somewhere in between and is easy manageable.

(edited)

Important Announcement