locked
Blocking all wireless ssids except ours while in office RRS feed

  • Question

  • I'm wondering if anyone knows of a way to block all ssid's except ssid x while in the office otherwise don't block any ssid.

    I started looking at starting a wmi filter for a gpo and found MSNdis_80211_ServiceSetIdentifier.  However that option is not available any longer.

    I'm running windows 10 and server 2016 AD.  The "Domain functional" level is currently 2008.

    If anyone has any ideas I'm open to anything at this point.

    Thanks for taking the time!

    IE

    Wednesday, August 15, 2018 10:07 PM

Answers

  • The problem you face is how can a laptop know that it is inside your four walls.

    Guessing your laptops dont all have sim card and GPS right? Chances are that you would need some kind of 3rd party tool - likely hardware based like a Bluetooth transmitter in your office and a GPO set to turn Bluetooth permanently on and if the laptop connects to the transmittera WIFI lockdown comes into effect. Seems shakey and thats if someone has actually invented one of those.

    So, why are you trying to achieve this? What are you trying to prevent from happening should users connect to other internet sources whilst in your office? Can you tackle this from that angle? Are you worried about data loss or time wasting...?


    Charlie Coverdale

    Disclaimer: This posting is provided 'AS IS' with no warranties or guarantees, and confers no rights.

    • Marked as answer by cheshire712 Monday, March 18, 2019 6:45 PM
    Tuesday, October 2, 2018 10:10 PM

All replies

  • Hi,

    Thanks for your question.

    Is there an NPS server in your environment? 

    How to set up NAP server 

    https://glazenbakje.wordpress.com/2013/08/31/microsoft-windows-server-2012-radius-setup/  

    You can configure a network policy on NAP server to filter connections by called station id.

    How to authenticate multiple WIFI SSIDs on a single NPS server (RADIUS)

    https://blogs.technet.microsoft.com/netgeeks/2017/05/02/how-to-authenticate-multiple-wifi-ssids-on-a-single-nps-server-radius/

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, August 16, 2018 3:23 AM
  • I am actually running Cisco ISE with 802.1x on all my switches and my access points.  That part works great.  However I have people running their own internet into the office and plugging in an access point from the provider. 

    It looks like the NAP server would only allow me to block or whitelist ssids.  However I'm trying to block any ssid other then corp ssid if corp ssid is in range.

    I fully understand this sounds like a management issue but I still need to stop it.

    I tried looking up wmi filters for ad and found

    MSNdis_80211_BaseServiceSetIdentifier

    But after some digging it looks like its depreciated in windows 10.

    Any suggestions would be great.


    Thursday, August 16, 2018 9:37 PM
  • Windows 10 is not NAP capable.

    https://docs.microsoft.com/en-us/windows/desktop/NAP/network-access-protection-start-page


    Charlie Coverdale

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees.


    Thursday, August 16, 2018 9:46 PM
  • Unsure whether this would fit your requirement... But you could create a script that forces all WIFI adapters fo connect to your SSID and disables the User's ability to change it...

    I will make sense of this tomorrow... But here are elements of what I'm thinking...

    Configure new wireless profile on a test computer and connect to your SSID.

    Export WLAN profile to XML file: netsh wlan export profile name=”SSID”  

    Group Policy - Computer > Windows Settings > Security Settings > Wirless Network (IEEE 802.11) Policies then "Create A New Wireless Network Policy for Vista and Later Release" then go to "Network Permissions" Tab then click "import".

    Get-NetAdapter | ? {$_.InterfaceType -eq "71"}

    netsh wlan connect ssid=YOURSSID name=PROFILENAME interface="WIRELESS NETWORK CONNECTION"

    Group Policy - User > Adminitrative Templates > Network > Network Connections > Prohibit access to properties of components of LAN connections.


    Charlie Coverdale

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and

    confers no rights.


    Thursday, August 16, 2018 11:48 PM
  • How are you tracking with this one? Have you managed to put together a solution?

    Please let me know if i can help.


    Charlie Coverdale

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and

    confers no rights.


    Tuesday, August 21, 2018 8:14 PM
  • I can't seem to figure it out.  The first solution is would remove the ability for users to connect at home or starbucks etc. I just want them not to be able to connect to anything while in the office other then the ssid i specify. 

    I'm looking at third party solutions right now but I still can't find anything.  Any ideas would be much appreciated.

    Thank you for your previous responses. 

    Tuesday, October 2, 2018 8:47 PM
  • The problem you face is how can a laptop know that it is inside your four walls.

    Guessing your laptops dont all have sim card and GPS right? Chances are that you would need some kind of 3rd party tool - likely hardware based like a Bluetooth transmitter in your office and a GPO set to turn Bluetooth permanently on and if the laptop connects to the transmittera WIFI lockdown comes into effect. Seems shakey and thats if someone has actually invented one of those.

    So, why are you trying to achieve this? What are you trying to prevent from happening should users connect to other internet sources whilst in your office? Can you tackle this from that angle? Are you worried about data loss or time wasting...?


    Charlie Coverdale

    Disclaimer: This posting is provided 'AS IS' with no warranties or guarantees, and confers no rights.

    • Marked as answer by cheshire712 Monday, March 18, 2019 6:45 PM
    Tuesday, October 2, 2018 10:10 PM
  • Thank you Charlie for all your responses.  Sorry I let this go for so long.  After a through search I couldn't seem to find something that would do this.  I came to the same conclusion that gps would be the easiest solution but expensive. Bluetooth in theory should work but no luck even though I'm running meraki wireless with Bluetooth tracking. If someone wants to make a new product this would be a good one that shouldn't be too hard. Anyway thanks for your responses.

    IE

    Monday, March 18, 2019 6:49 PM