7.6 and up have dns acl featureā¦ http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-6/configuration-guide/b_cg76/b_cg76_chapter_0110101.html#concept_AEEDD6D25578413784092B48A4636163
From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Britton Anderson Sent: Thursday, January 08, 2015 8:42 PM To: [email protected] Subject: Re: [WIRELESS-LAN] New Device Activation WLAN These devices prompt for a wireless network during the activation process, but won't let a webauth succeed. I like Hunter's idea of adding the Apple/Google/Antivirus sites to the pre-webauth ACL. Cisco WLC's won't let you use DNS names for ACL entries, d'oh! Is there a known list of these hosts somewhere before I go sniffing wireless traffic? Thanks, Britton Britton Anderson<mailto:[email protected]> | Senior Network Communications Specialist | University of Alaska<http://www.alaska.edu/oit> | 907.450.8250 On Thu, Jan 8, 2015 at 4:24 PM, Mike King <[email protected]<mailto:[email protected]>> wrote: Maybe I'm over simplifying this, but for the "average" user, don't those devices have to be activated BEFORE you can see the settings screen? Mike On Thu, Jan 8, 2015 at 6:31 PM, Hunter Fuller <[email protected]<mailto:[email protected]>> wrote: This is what we do. While not authenticated to wireless you can still get to a few places - Microsoft, apple, Google search, antivirus vendors. -- Hunter Fuller OIT Sent from my phone. On Jan 8, 2015 5:11 PM, "Frank Sweetser" <[email protected]<mailto:[email protected]>> wrote: We already have an unencrypted ssid for students to get to our onboarding system (Cloudpath). Our plan for this summer is to poke enough firewall holes for students to also run through the device activation process. If we were to try to impose any kind of device security policies, we would do it in the onboarding process. On January 8, 2015 5:54:01 PM EST, Britton Anderson <[email protected]<mailto:[email protected]>> wrote: I just wanted to ask the question to see what all of you are doing at your institutions to handle users activating new devices. New iOS devices for example have to reach out to iCloud to validate themselves and make sure they're not stolen. Android now with version 5 is very similar, having to reach out to the mothership and join to a Google account. Are any of you doing an "SSID-Activate" WLAN, or requiring clients to bring it by your respective Help Desks for activation? Right now, we are requiring anyone that wants a device activated to have our Desktop techs touch it and give them pointers to secure it. However, we've lost some budget, and some employees, and they can't keep a guy in the office to handle that influx of people anymore. And I don't want the headache of a wide open WLAN everywhere, and none of the devices will allow the webauth transaction to happen before the device ! is activated. Thanks, --Britton Britton Anderson<mailto:[email protected]> | Senior Network Communications Specialist | University of Alaska<http://www.alaska.edu/oit> | 907.450.8250<tel:907.450.8250> ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
