Occasional Contributor I

Prevent domain users from joining guest network



I am posting a new message with the same subject as onother one posted a year back.  In fact, I have been able to only see 2 threads whcih match our requirement and none of them have a definitive solution.


Post 1



As the subject says, would like to limit domain machines from connecting to the guest network. 
We tried to create a session rule based on netbios name query (udp/137) but this blacklists all machines joined to a domain.  This would have worked if we could define a destination which would have been resolved by the DNS; but the public DNS cannot resolve our internal domain name; as the broadband guest access is separated from ourt network.


All help would be appreciated...Thanks


Re: Prevent domain users from joining guest network

Two suggestions.


1) If the domain clients are Windows 7 (or Vista), you can use Group Policy to deny permissions to the guest SSID; easy to implement.


2) You can enforce machine authentication on your dot1x authentication profile for your employee network.  When you do this, the controller caches the mac of the successful clients (those that pass machine authentication to Radius) to the internal database (this time is configurable on the dot1x auth profile).   You can then setup a MAC authention profile on the guest network, however in this case you'd use a "success" (meaning it is found), to put it in a deny role, or better yet a role that redirects the client to a captive portal page with instructions, etc.  


I have customers doing both of these above with fairly good success.  The caveat to #2 is dealing with machine authentication on your enterprise SSID and non-domain machines.   To work around this, the mac of these devices needs to be added manually to the internal database.



Systems Engineer, Northeast USA

Search Airheads
Showing results for 
Search instead for 
Did you mean: