Aerohive Migrated Content

 View Only

 BLOCK mobile phones on corporate SSID but ALLOW them on guest SSID

Jump to Best Answer
david.fig's profile image
david.fig posted 07-23-2018 14:25

We have two (2) wireless networks (SSID) that are on different subnets (192.168.x.x/24 - corporate) and (172.16.x.x/24 - guest). I need to BLOCK all mobile phones from the corporate network (192.168.x.x/24) and only allow them on the guest network (172.16.x.x/24). I haven't found an effective way to do this other than blocking MAC addresses one-by-one. I simply need a policy that does not allow Android or IOS operating systems on the corporate network. Any assistance would be appreciated.

 

 

samantha.lynn's profile image
samantha.lynn

We can do this using client classification. This would mean that we can send all Androids, iPhones, etc to a specific VLAN (that can be a dead VLAN, or a VLAN attached to a User Profile with significant traffic throttling, etc), based on MAC OS. Does that sound like what you are looking for?

david.fig's profile image
david.fig

Thank you Sam. YES - that will work. I have the corp SSID on VLAN 1 and guest SSID on VLAN 99. The guest network is INTERNET ONLY and is routed directly out of our firewall; whereas, our corp SSID has access to the appropriate resources (servers, etc.).

 

Thank you in advance for taking a look at this.

samantha.lynn's profile image
samantha.lynn

Great, I see you've tagged this as HiveManager (formerly NG), so the instructions that follow would be for that platform.

 

You would want to open the SSID and go down to the user profile section. Check the box next to "Apply a different user profile to various clients and user groups", then add a user profile to the new section you have (the one we want to direct the mobile devices to). Once you've added the new user profile, click on the small plus icon next to Assignment Rules. You can name the rule whatever you'd like, then click on the plus icon and select Client OS type. Next select the OS types you would like to block and save.

 

This will direct the OS types you specified to the secondary user profile, which can be on a dead VLAN to drop the traffic all together, or have different rules and restrictions applied to it, whatever works for you.

 

Please let me know if I can clarify anything. I'll work on getting a how-to guide made for this process for the HiveManager (formerly NG) platform.

david.fig's profile image
david.fig

Thanx Sam - I am did the config pursuant to your response - then push it out to a few test APs tonight - then do some testing in the AM before everyone arrives.

 

Best regards....

david.fig's profile image
david.fig

Sam - your solution worked, even though it worked different than I expected or perhaps I implemented wrong. Mobile users who are were typically connected to the CORP wireless network (192.168.x.x) were forced onto the GUEST wireless network (172.16.x.x). What I did not expect was they are on the CORP SSID not the GUEST SSID. Perhaps I need to apply the policy to the GUEST SSID as well. Regardless - they are segmented from the CORP newtwork which was my goal. Thank you kindly!!

 

 

I'll look forward to seeing your HOWTO guide.

 

We can consider this question ANSWERED.

david.fig's profile image
david.fig

One last thing outside of this QUESTION - we are new to Aerohive and want to roll it out to our other eight (8) locations. If you can point to a HOWTO guide to implement a single policy for multiple sites when each site is it's own subnet. For example:

Site A: 192.168.1.x

Site B: 192.168.2.x

Site C: 192.168.3.x

you get the idea.

 

Thanx in advance.

samantha.lynn's profile image
samantha.lynn

You'd want to put the users in different user profiles, so you can assign different VLANs, so they can reach their respective subnets. This is very similar to what we did above, using rules to assign different users to different user profiles, only this time it won't be for dead VLANs. You'd have to find a way to classify the users, to tell them apart for the sorting in to the different user profiles. You're options for classifying users are: User group, OS type, MAC address, Client location, and Schedule. For your use case, if you have Maps set up for your different locations with the APs placed on the maps, I would say sorting by Client location would be easiest, unless you are already separating them in to different PPSK user groups.

david.fig's profile image
david.fig

Thank you for your input - much appreciated!! We are doing a complete network refresh and have lots of moving parts.

IT Support's profile image
IT Support
Hi there,
I'm interrested in the HOWTO guide on this too. Are you able to share?

Thank you.