cancel
Showing results for 
Search instead for 
Did you mean: 

Need to block mobile access to SSID configured in VX 9000 controller

Need to block mobile access to SSID configured in VX 9000 controller

Shubha_m13
New Contributor

Need to block mobile access to SSID configured in VX 9000 controller.

We have the requirement that office employee should not be able to connect the wireless network using their mobile phones. We have radius authentication configured in our network using that employee able to connect to network on their laptops/desktops. 

Please let us know how to block mobile users connecting to wireless network. 

1 ACCEPTED SOLUTION

Ovais_Qayyum
Extreme Employee

Association ACLs are a good starting point as suggested by Chris, but if you see some smart users bypassing the MAC-based association ACLs by spoofing the MAC address on their phone (it's very easy nowadays), then you can use the “Device Fingerprinting“ feature on the VX9000 to first automatically identify a device as a mobile device and then use “Role-Based Firewall” to assign them a role with a VLAN that takes them nowhere. They will eventually get frustrated and stop using mobile phones on the corporate network! 

The advantage is, you won’t have to maintain a large list of MAC addresses for ACLs and keep updating it with new and spoofed MACs, there is no getting around the Fingerprinting and Role-Based Firewall.

A slight disadvantage on the other hand is, the mobile clients will still connect to the SSID and use some air-time, but with time when they realize mobile devices don't work on the SSID, they give up and it frees up the air-time gradually.

 

Regards,

Ovais  

 

View solution in original post

2 REPLIES 2

Ovais_Qayyum
Extreme Employee

Association ACLs are a good starting point as suggested by Chris, but if you see some smart users bypassing the MAC-based association ACLs by spoofing the MAC address on their phone (it's very easy nowadays), then you can use the “Device Fingerprinting“ feature on the VX9000 to first automatically identify a device as a mobile device and then use “Role-Based Firewall” to assign them a role with a VLAN that takes them nowhere. They will eventually get frustrated and stop using mobile phones on the corporate network! 

The advantage is, you won’t have to maintain a large list of MAC addresses for ACLs and keep updating it with new and spoofed MACs, there is no getting around the Fingerprinting and Role-Based Firewall.

A slight disadvantage on the other hand is, the mobile clients will still connect to the SSID and use some air-time, but with time when they realize mobile devices don't work on the SSID, they give up and it frees up the air-time gradually.

 

Regards,

Ovais  

 

Christoph_S
Extreme Employee

Here are instructions no how to create association ACLs from CLI or Web UI:

 

CLI: https://extremeportal.force.com/ExtrArticleDetail?an=000080766

Web UI: https://extremeportal.force.com/ExtrArticleDetail?an=000081472

 

Thank you,

 

Chris

Christoph S.
GTM-P2G8KFN