Block Client

  • 1
  • Question
  • Updated 1 year ago
Hi, 
I need to be able to block a client by their Active Directory Username in HMNG.  I have seen that I can block by device MAC address but this is a generic user given out to Students.  So the device is not unique.  I would like to Deny this Username access to my 802.1X SSID.
Thanks 
Photo of Paul

Paul

  • 14 Posts
  • 0 Reply Likes

Posted 1 year ago

  • 1
Photo of Ruwan Indika

Ruwan Indika

  • 66 Posts
  • 22 Reply Likes
Hi Paul,

Are you using Windows NPS as the RADIUS server ? if you disallow wireless access for the user in active directory the user will not be able to authenticate to the 802.1X SSID.

Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Hi Paul,

This should always be done at the EAP terminating RADIUS server or at the backing directory rather than at an authenticator (AP or switch).

A strong technical reason why this would be a bad idea is that EAP outer identities can often be anonymous or spoof another user. An authenticator (AP or switch) has no way of knowing if this has occurred or not.

Thanks,

Nick
Photo of Paul

Paul

  • 14 Posts
  • 0 Reply Likes
Spot on Ruwan, that worked! Thanks Nick for the info!