This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Need to block mobile access to SSID configured in VX 9000 controller

Need to block mobile access to SSID configured in VX 9000 controller

Go to solution
Shubha_m13
New Contributor

‎01-15-2021 08:01 AM

Need to block mobile access to SSID configured in VX 9000 controller.

We have the requirement that office employee should not be able to connect the wireless network using their mobile phones. We have radius authentication configured in our network using that employee able to connect to network on their laptops/desktops. 

Please let us know how to block mobile users connecting to wireless network. 

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
Ovais_Qayyum
Extreme Employee

‎01-18-2021 07:08 PM

Association ACLs are a good starting point as suggested by Chris, but if you see some smart users bypassing the MAC-based association ACLs by spoofing the MAC address on their phone (it's very easy nowadays), then you can use the “Device Fingerprinting“ feature on the VX9000 to first automatically identify a device as a mobile device and then use “Role-Based Firewall” to assign them a role with a VLAN that takes them nowhere. They will eventually get frustrated and stop using mobile phones on the corporate network! 

The advantage is, you won’t have to maintain a large list of MAC addresses for ACLs and keep updating it with new and spoofed MACs, there is no getting around the Fingerprinting and Role-Based Firewall.

A slight disadvantage on the other hand is, the mobile clients will still connect to the SSID and use some air-time, but with time when they realize mobile devices don't work on the SSID, they give up and it frees up the air-time gradually.

 

Regards,

Ovais  

 

View solution in original post

0 Kudos
2 REPLIES 2

Go to solution
Ovais_Qayyum
Extreme Employee

‎01-18-2021 07:08 PM

Association ACLs are a good starting point as suggested by Chris, but if you see some smart users bypassing the MAC-based association ACLs by spoofing the MAC address on their phone (it's very easy nowadays), then you can use the “Device Fingerprinting“ feature on the VX9000 to first automatically identify a device as a mobile device and then use “Role-Based Firewall” to assign them a role with a VLAN that takes them nowhere. They will eventually get frustrated and stop using mobile phones on the corporate network! 

The advantage is, you won’t have to maintain a large list of MAC addresses for ACLs and keep updating it with new and spoofed MACs, there is no getting around the Fingerprinting and Role-Based Firewall.

A slight disadvantage on the other hand is, the mobile clients will still connect to the SSID and use some air-time, but with time when they realize mobile devices don't work on the SSID, they give up and it frees up the air-time gradually.

 

Regards,

Ovais  

 

0 Kudos

Go to solution
Christoph_S
Extreme Employee

‎01-15-2021 01:34 PM

Here are instructions no how to create association ACLs from CLI or Web UI:

 

CLI: https://extremeportal.force.com/ExtrArticleDetail?an=000080766

Web UI: https://extremeportal.force.com/ExtrArticleDetail?an=000081472

 

Thank you,

 

Chris

Christoph S.
0 Kudos
GTM-P2G8KFN