IdentiFi device type access

  • 0
  • 2
  • Question
  • Updated 10 months ago
  • Answered
Hello, all!

In controller we can see statistics by Operating Systems, Device Type, etc.
Can we restrict access for device type with rules?
(without NAC, only with Controller)

For example Android devices and Apple devices.

Thank you!
Photo of Alexandr P

Alexandr P, Embassador

  • 12,192 Points 10k badge 2x thumb

Posted 10 months ago

  • 0
  • 2
Photo of Andre Brits Kannemeyer

Andre Brits Kannemeyer

  • 5,160 Points 5k badge 2x thumb
Hi Alex

Good question....
If we can see it we should be able to use it....

But I do not believe this is possible, we will still require a NAC for this....
Let see what the official response looks like...
Photo of Volker Kull

Volker Kull

  • 1,740 Points 1k badge 2x thumb
Hello !
The device type detection occurs after authentication via DHCP-Snooping. So during authentication process you will not have this information.
To use this you need to detect the device type after successful authentication and move the device to another role with a triggered reauth. This can only be done via NAC (COA).

br
Volker
Photo of Andre Brits Kannemeyer

Andre Brits Kannemeyer

  • 5,160 Points 5k badge 2x thumb
Hi Volker

NAC also utilizes DHCP-Snooping to identify the device type...
Only once NAC is able to resolve the IP does the Device Type appear.
This should be the same process....
Photo of Alexandr P

Alexandr P, Embassador

  • 12,192 Points 10k badge 2x thumb
NAC have possibility to access control based on the device type and client OS?
Can you show me screen-shots or web-link with images of this configuration in NAC?

Thank you!
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 46,754 Points 20k badge 2x thumb
Here a example of the default groups....


Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 46,998 Points 20k badge 2x thumb
just my 2 cents on the topic...

Device fingerprinting is done by the AP directly and not by the WLAN controller.

I've no idea how often this data is tx back to the controller but it could be that it's done together with statistics data which isn't that often.

In that case the controller doesn't has this device type data handy at the point of the authentication process.

-Ron