Endpoint Protection

I am testing a Device Control policy to disable WLAN when connected to the company lan.

I am using two locations, where as the "default" location is active when "Clients computer uses Ethernet", and the "public" when "the client computer does not use ethernet". The "default" is set to default in case of conflict.

I have added the device id of the wlan adapter on the corporate standard portable computer, and put this in the block list of the policy in the "default" location. On the "public" location I have testet both without any blocked devices, and with an exclusion for blocking the WLAN adapter

this works fine on the corporate LAN, the WLAN adapter is correctly disabled. However, when not wired the WLAN adapter is not automaticly enabled, but it is not disabled when manually enabled.

How can i configure this so that users do not need to manually enable the wlan adapter after switching locations?

first of all, on portable computers the Ethernet card and the Wi-fi cars are the same. meaning that if you disable the "Wi-Fi" you would also disable the Ethernet device. please pay attantion that it is not for all portable computers, i know it is at least for IBM.
what you can do is define Firewall rule, that the client would not recive any IP adress and/or DC connectivity. that way you "Disable" the ability to connect with Wi-fi (in the firewall rules you can define what adapter you block and you will block the Wi-Fi adapter.

another thing to consider:
if you proceed in the way i am suggesting (which is the only way possible that i know of) when you "kill" DHCP requests and DC connection, when you switch location again the device (wi-fi adapter) wont work. you need to "disable" and "enable" the device.


about using the device control for the job.
if you have NAC Starter edition you could run make a tweak that when a computer switch location you run a script that says: "disable and enable device" and "fix" the bug with device.


naor p.

Thank you for the answer.

I am using the specific Device ID for the wireless adapter since the Class ID is the same for the both adapters, but they are indeed two separate adapters (Lenovo x301 is the client I am testing on, and has a Intel Wifi Link 5300 AGN on PCI express)

We are not using the SEP Firewall, althought it is installed of course, we have disabled it by policy and use only the native Windows firewall . We are not using NAC either.

Check this link and let us know whether it helped.


http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008052110185348

Problem here is that the condition "uses wireless" won't work since the wlan adapter is disabled. Before this is enabled it will not switch location, and you cannot enable as long as it is blocked in the current location.

I tested this and can confirm that it did not work. My original setup (only "does not use ethernet" and skipping "uses wireless") works ok, but you need to manually enable the wlan adapter

Thank you for the answer.
I tried this, but still the wlan adapter had to be enabled manually after switching location

This is what I did:

1. Follow Setting up automatic location switching in this article http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008052110185348
2. Under Settings for Location: Ethernet
   Application and Device Control policy
   Add the WLAN devices to be blocked
3. Under Settings for Location: Wireless
   Application and Device Control policy
   Add the WLAN devices to be excluded from blocking
    

Ethernet Location: WLAN device disabled
Wireless Location: WLAN device enabled

Works well.

Sorry for the typo.
Point 2 is Ethernet
Point 3 is Wireless

I have complete configure disable wireless while ethernet interface is active by create 2 location as Ethernet and Wireless.  Now, i am facing problem establish juniper vpn via wireless. Wireless interface will disconnect while initialize Juniper vpn. Based on the finding, juniper vpn is establish "Juniper Network Connect Virtual Adapter - Teefer2 Miniport" = ethernet interface.

How to create exception list for Virtual Adapter ethernet while wireless interface is active.

Hi, 

I want know how block all Disable all Wireless LAN adapter in my Network i have in my netwok IBM,Lenove,HP, note books and Laptops and its have so many variety  of  WLAN card i unable bock using Device ID for the wireless adapter . if the commen  ID for the WLAN  please advice me  how to block all WLAN card 

Hi, 

I want know how block all Disable all Wireless LAN adapter in my Network i have in my netwok IBM,Lenove,HP, note books and Laptops and its have so many variety  of  WLAN card i unable bock using Device ID for the wireless adapter . if the commen  ID for the WLAN  please advice me  how to block all WLAN cards

All network cards have the same ClassID. Problem is by disabling this you also disable the wired ethernet cards. There is no segregation between wired and wireless cards here.

But if you use the SEP firewall, you can use this to block traffic, for instance DHCP.

Too bad the firewall cant block based on SSID