Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

2 SSID one with blacklist other with white list

Options
  • 05-04-2014 9:43am
    #1
    Ints
    Registered Users Posts: 102 ✭✭


    Hi, I have Cisco 2504 WiFi controller, and so far I have 1 SSID with known password for all students and that needs to stay that way. I have 100 IPADS + other 100 incoming and I did create SSID 2 where no one get password for it. Now I need somehow to Blacklist those IPADS on SSID 1 and make shore that they can connect only on SSID 2 and then I am able to manage them properly. Please help, cant see how to do that, i did find MAC filtering option, but it only have white list function but I need to leave first SSID open for new devices without taking their MAC addresses.


Comments

  • Options
    #2
    Ctrl Alt Del
    Registered Users Posts: 357 ✭✭Ctrl Alt Del


    Not getting the setup yet... and I'm guessing is for a school.

    In your post you said that "then I am able to manage them properly" ...how are going to do that ? What's different on SSID2 than SSID1 !??

    Do you have a server that provided DHCP or a router ?
    Do you know all the devices MAC addresses so that you can create an allow or deny rule (dunno what is white list) ? The company that supplied iDevices should provide you with alist of all MACs.
    Do you have access to a RADIUS device? IF the WiFi is shared on same infrstructure as the students network,you can use RADIUS for authentication.Ask the supplier to setup the device ID as the student login detail.

    Keep in mind that is easy to read a WiFI password in Windows 7 devices,if you have any of them connected to WiFI SSID2,therefore the "known password" will be useless.

    My projects are based on a setup of MAC combined with DHCP allow / deny filters on a specified time window due to evening adult classes.Then,from time to time,i read the logs and check if any of the passwords have "transpired" and new devices have connected to network.

    Have fun...

    PS
    just found this one here:

    RADIUS would use the individual credentials of each user to verify whether or not they are permitted to access the wireless network. This eliminates the "shared secret" password used in many simple wireless networks.

    Setup example:
    -Create a group you call "wirelessaccess" and put the users you want to have wireless network access in it.
    -Start RADIUS on your server and set it to only permit "wirelessaccess" group users access to the RADIUS service.
    -Tell your server to apply RADIUS authentication to your wireless access points.
    -Tell your wireless access points to use only RADIUS authentication from your server.
    -When a user tries to connect to the wireless network, they will now be prompted with a user and password dialog which requires a user credential in the "wirelessaccess" group to be permitted on to the wireless network.

    You would still have the problem of credentials possibly being given out. However, since the credentials to connect via RADIUS are those of each individual user, you would be able to see in your logs who is supposedly connecting. Individual users would be less likely to give out their own credentials since they would be giving away access in their name and also giving away access to all of their own items in the system.


  • Options
    #3
    Ints
    Registered Users Posts: 102 ✭✭Ints


    I have students IPADS supervised with Apple Configurator and under Meraki web management. The problem is that they are able to remove Meraki from Ipads and device will be unmanaged but I need them to stay managed and stop them to remove Meraki, the only way I can do it is to create new network for them, where they have no password access ( Meraki management will push all WIFI settings on to Ipad and if you remove it from Ipad it removes all WIFI settings as well so you lose any connection so they will be willing to keep Meraki on the Ipad). Problem Nr 2 is that they know current network password and I am not able to change it because there is another 800 students with different devices on it and enable mac filtering isn't really an option so I need to deny Ipads access on first SSID. So far I looked in to it and all I can do I can enable only mac filtering to set allow list and all other will go on to deny that's not on option I need it other way around I need deny list and all other devices will be allowed get on to first SSID but there is no option like that or I cant find it :( .


  • Options
    #4
    Ctrl Alt Del
    Registered Users Posts: 357 ✭✭Ctrl Alt Del


    OK sorry,i know my limits ! :)
    Not familiar with Apple and / or Meraki management.

    What i understood is if they remove Meraki Client they CANT connect to any networks(device been unmanaged, they knows the password,bang on to SSID1) BUT if they have the client installed they CAN connect to ANY network / SSID, inclusive SSID2 and SSID1 (but Management will push clients to only SSID2) !?

    Can't you create a SSID2 and MIGRATE your required clients from SSID1 to SSID2 !? It looks like migration is a quick way if the management system will allow you to do it.


    Also,what difference it will make ,from a system admin point of view if they connect to SSID 1 or SSID2,apart of knowing the password ? Are you using multiple gateways and /or VLANs ?

    Have you taken in consideration to wait maybe until summer time and start properly from September,with a long time (few months) notice to all end users that from 1st of September it will be a major IT review and few changes implemented,along the small lines,you change safely the WiFI access ?? I found September a good time frame to implement changes and /or correct errors / mistakes ...

    One piece of advise here:can you do a RADIUS access level control along side the current setup ? Can the users of mobile devices be setup to use a login system adn then pass those login details over to WiFi and RADIUS ?

    Regards


Advertisement