Security

I have this question of a client, which i bealive is not possible but still ask.

He has in one site  an auto register so anyone can get in the  guest network.   He was asking is there was anyway he can limit that access to real guest and that the internal users cannot use it.  This is because the Guest network has more access to internet than the internal network.  

The thing is that their internal users switch to the guest network to use the guest network but they shouldnt be able to do that.   They do not want to put sponsors...

Maybe if there is any way that to see that if one mac address has  connected  before to the internal network he has no access to  guest network?? something like that? is that possible?

Cheers

Carlos

You could do something with MAC authentication similar to the below:

Add an enforcement profile to your corporate service which adds an attribute to the Endpoint Repository entry identifying the user has been on the corporate service.

Enable MAC authentication on the Guest network SSID.

Add an enforcement or role mapping rule which matches when the Endpoint has the specific attribute set/enabled and applies a Deny Access profile.

Please be aware that MAC authentication is not totally secure and anybody determined enough could get around this.

Guess this doesnt matter if the controller and the wifi solution is cisco for doing this?

or does it matter?

Cheers

Carlos

No it shouldn’t matter as long as you can enable MAC authentication on your Guest wireless service which occurs before your current captive portal authentication.

We will try that

Thank you!

cheers

Carlos