Occasional Contributor I

Prevent domain users from joining guest network



I am posting a new message with the same subject as onother one posted a year back.  In fact, I have been able to only see 2 threads whcih match our requirement and none of them have a definitive solution.


Post 1



As the subject says, would like to limit domain machines from connecting to the guest network. 
We tried to create a session rule based on netbios name query (udp/137) but this blacklists all machines joined to a domain.  This would have worked if we could define a destination which would have been resolved by the DNS; but the public DNS cannot resolve our internal domain name; as the broadband guest access is separated from ourt network.


All help would be appreciated...Thanks


Re: Prevent domain users from joining guest network

Two suggestions.


1) If the domain clients are Windows 7 (or Vista), you can use Group Policy to deny permissions to the guest SSID; easy to implement.


2) You can enforce machine authentication on your dot1x authentication profile for your employee network.  When you do this, the controller caches the mac of the successful clients (those that pass machine authentication to Radius) to the internal database (this time is configurable on the dot1x auth profile).   You can then setup a MAC authention profile on the guest network, however in this case you'd use a "success" (meaning it is found), to put it in a deny role, or better yet a role that redirects the client to a captive portal page with instructions, etc.  


I have customers doing both of these above with fairly good success.  The caveat to #2 is dealing with machine authentication on your enterprise SSID and non-domain machines.   To work around this, the mac of these devices needs to be added manually to the internal database.



Systems Engineer, Northeast USA

Occasional Contributor II

Re: Prevent domain users from joining guest network

Hi - I know this is an old thread, but I wanted to see if you had any more gotchas or insight on it. I have machines that are in AD (various flavors of windows as well as mac OS) or JAMF (ipads) that should never go on guest, so I'd like to prevent that. Ideally they would not be able to attach to the Guest SSID, so I'll work with the client admins to prevent.

But, I was thinking about your second suggestion - if they attach to guest they get a deny based on AD/JAMF membership and are served a web page that tells them to attach to the 802.1x SSID.  Any info there would be great

Search Airheads
Showing results for 
Search instead for 
Did you mean: