Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Prevent domain users from joining guest network

This thread has been viewed 6 times

  • 1.  Prevent domain users from joining guest network

    Posted May 14, 2012 07:12 AM

    Hi,

     

    I am posting a new message with the same subject as onother one posted a year back.  In fact, I have been able to only see 2 threads whcih match our requirement and none of them have a definitive solution.

     

    Post 1

    Post2

     

    As the subject says, would like to limit domain machines from connecting to the guest network. 
    We tried to create a session rule based on netbios name query (udp/137) but this blacklists all machines joined to a domain.  This would have worked if we could define a destination which would have been resolved by the DNS; but the public DNS cannot resolve our internal domain name; as the broadband guest access is separated from ourt network.

     

    All help would be appreciated...Thanks



  • 2.  RE: Prevent domain users from joining guest network
    Best Answer

    Posted May 14, 2012 02:59 PM

    Two suggestions.

     

    1) If the domain clients are Windows 7 (or Vista), you can use Group Policy to deny permissions to the guest SSID; easy to implement.

     

    2) You can enforce machine authentication on your dot1x authentication profile for your employee network.  When you do this, the controller caches the mac of the successful clients (those that pass machine authentication to Radius) to the internal database (this time is configurable on the dot1x auth profile).   You can then setup a MAC authention profile on the guest network, however in this case you'd use a "success" (meaning it is found), to put it in a deny role, or better yet a role that redirects the client to a captive portal page with instructions, etc.  

     

    I have customers doing both of these above with fairly good success.  The caveat to #2 is dealing with machine authentication on your enterprise SSID and non-domain machines.   To work around this, the mac of these devices needs to be added manually to the internal database.

     

     



  • 3.  RE: Prevent domain users from joining guest network

    Posted Sep 12, 2018 11:43 AM

    Hi - I know this is an old thread, but I wanted to see if you had any more gotchas or insight on it. I have machines that are in AD (various flavors of windows as well as mac OS) or JAMF (ipads) that should never go on guest, so I'd like to prevent that. Ideally they would not be able to attach to the Guest SSID, so I'll work with the client admins to prevent.

    But, I was thinking about your second suggestion - if they attach to guest they get a deny based on AD/JAMF membership and are served a web page that tells them to attach to the 802.1x SSID.  Any info there would be great