Security

Hi,

I am trying to block domain laptops to the Guest network via a lookup in AD. 

However, for some reason I only get 1 authorization Attribute through in the radius input log.

I have made sure that the Insight database is selected and also restarted all the services again.

It make no difference,  Any ideas ?

What are you looking up in AD?  You could try chekcing for the [MACHINE AUTHENTICATED] role because that would be tied to the mac address of that device, but that might be it....

The Customer doesn't want any corporate Laptops to be able to access the guest network.

Therefore, we would like it to query AD to see if it has a valid machine name and if so reject it?

Is this possible?

Not possible, because as a guest, the only two things we can use for authentication are the mac address of the device upon association and the username of the guest.

Using mac authentication, if the device has already authenticated as a domain computer, it might be able to derive the built-in CPPM [Machine Authenticated role], which you could use to put the device in a VLAN or in a role that bring up a page, rejecting the device.

Alternatively, you can use group policy to push an SSID with the guest SSID name with a wep key, so that those devices simply cannot connect to the guest SSID.

I'm pretty new to this, is ther a guide to how you would do this?

Simply use Group Policy to make the Guest network invisible to Domain Machines.

If you set it to "Deny" the user's cannot even "see" it in the list of available WLANs on a Domain Member machine.

(You can also prioritize ordering of ESSIDs for supported networks as well) 

Helps to avoid the support calls because user is on local hotspot network instead of your corporate network.