Good time! We have some employers who used their own wi-fi devices to connect to corporate net. Unfortunately we have not at the moment a hardware to block such devices. I've found that NAP/IPsec may block noncompliant NAP clients. Can I use this solution to block users' wi-fi routers? P.S. We have some corporate wi-fi routers which we must use.

Hi, Thanks for posting here. Yes, NAP could help to prevent unauthorized devices or computers access your network. I have listed some links below which introduce this solution for you, please take time to read it so that you can get a clear view of this solution. Introduction to Network Access Protection http://www.microsoft.com/downloads/details.aspx?familyid=5d5e243a-23a8-479c-9f2d-37d6d79153e7&displaylang=en&tm Network Access Protection Platform Architecture http://www.microsoft.com/downloads/details.aspx?familyid=2f37651e-1749-45c3-996e-53de05d44ef7&displaylang=en Network Access Protection: Frequently Asked Questions http://www.microsoft.com/technet/network/nap/napfaq.mspx In your scenario, I ‘d suggest to take look 802.1X Enforcement, this may help you to achieve the goal. Meanwhile, could you discuss your network in detail ? like the network devices you are using now, so that we can provide more detail suggestions for you. Thanks. Tiger Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.comPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Thanks for the answer. Why do you think of 802.1X Enforcement is more useful than IPsec in my case? Our workers connect to corporate LAN with the work stations or notebooks by twisted pair connections to switches and routers. They recieve the network address by DHCP with MAC binding (WS 2008 R2 Server). They connect to internet through proxy server (non-Microsoft - Squid). The workers have a possibility (and some of them use it) to plug twisted pair to their own wi fi router and publish work station MAC address (PAT if one can say it). So they connected to corporate lan with their workstation and their own device. So we have the following scheme: Proxy Server ---- Switch ----- Wi-Fi Router ---- Workstation | wi-fi device Our task to restrict connections of wi-fi devices even though users connect wi-fi routers while corporate wi-fi routers must works all the time.

Hi, Thanks for posting here. There is a 802.1X Port-Based authentication solution which can control the device that want to access network and this is applicable for the situation you are encountering now. In general when devices attempt to access network, it must provide credential to switch and radius/DC server for authentication, if the device pass the authentication and match the policies that defined on RADIUS server , switch will enable this port so that device will be allowed to access internal network. However this feature need support by hardware device , you may consult with devices vendor or check device manual . I have listed some introductions that regard to this solution for you refer : IEEE 802.1X http://en.wikipedia.org/wiki/IEEE_802.1X Appendix D: NAP-NAC Design http://technet.microsoft.com/en-us/library/dd125393(WS.10).aspx Configuring 802.1X Port-Based Authentication http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_9_ea1/configuration/guide/Sw8021x.html Thanks. Tiger Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com Important Note: This response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites; therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. There are inherent dangers in the use of any software found on the Internet, and Microsoft cautions you to make sure that you completely understand the risk before retrieving any software from the Internet.Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Thanks for detailed explanition of problem solutions. They are very helpful!!!

I have one more question. In case of ARP-nat (Wi fi router acts as nat for mac addressess of connected legal and non-legal devices) will the solutions be helpful in secure network access? MAC address of corporate workstation is legal and it can be translated to router port so other device are behind it and will use corporate LAN. Is it true?