restrict device type connecting to wireless

  • 0
  • 1
  • Question
  • Updated 3 years ago
  • Answered
Is there a way of restricting the type of device that is allowed to connect to an SSID? One of our customers has an SSID that is enabled for Radius authentication and unless you have a laptop that is part of the domain it will not be allowed to connect, which is what they want. However the exception to this is if a user has a mobile device such as an android or apple device they are able to download a certificate once they authenticate with their domain credentials and connect. Is there a way of stopping the mobile devices connecting?

Customer comments below:

From what I can tell with the wifi, is that  - with or without a Radius policy (if its not a domain joined laptop) you can’t seem to logon with staff or student credentials which is fine. However with Andrio\IOS tested on ipad and phone, you can log onto "staff_SSID" with staff or student credentials and also, even before you get to smoothwall to sign in, Apps will update such as Facebook.

Ideally Id like to lock down the Staff to work effectively without mobile and apple devices being able to connect.

Ipad asks to trust the school DC Cert and then lets you in. Android lets you straight in.


They currently have a v9 wireless controller without NAC.
Photo of Renne Stuart

Renne Stuart

  • 260 Points 250 badge 2x thumb

Posted 3 years ago

  • 0
  • 1
Photo of Hawkins, Bruce

Hawkins, Bruce, Employee

  • 1,090 Points 1k badge 2x thumb
I think the solution you're looking for is MAC Authentication, which can be applied in addition to RADIUS authentication for a VNS/WLAN Service/SSID. In this case, you are requiring that the MAC address of a given WLAN device be checked against a list of predetermined allowable MAC addresses, and if the device isn't in that list, then that client will be denied access.
Photo of Renne Stuart

Renne Stuart

  • 260 Points 250 badge 2x thumb
i might give this a try and see where we get to, thanks.
Photo of Tyler Marcotte

Tyler Marcotte, Official Rep

  • 2,740 Points 2k badge 2x thumb
If the customer was interested in NAC, this is where you would typically check for these types of settings. Our NAC solution has the ability to detect device types, and based off that device type, it can make a decision about what to do for that user. That decision may be to deny access to the SSID so they cannot connect.

So for your scenario, users may be able to connect with their domain credentials or certificates, but if the device type is a mobile device, then it will be denied and they will not connect to the SSID.
(Edited)
Photo of Renne Stuart

Renne Stuart

  • 260 Points 250 badge 2x thumb
thanks, ill see where we get to with mac-authentication otherwise will suggest NAC if they really want this feature
Photo of Kent Sapp

Kent Sapp

  • 260 Points 250 badge 2x thumb
We have NAC and would like to block Game Devices like Playstations from our SSIDs. How would we go about doing that?
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 48,764 Points 20k badge 2x thumb
1. neither support 802.1X as far as I'm aware
2. you can't "block" them - you'd just put them in a "deny" role, so they would be connected to the SSID but can't rx/tx any data and hopefully the owner of the device will not longer try to access the SSID

So in case you use a PSK SSID just enable MAC based authentication and use the NAC for authentication.
Add a rule with "device type group" gaming and a deny profile.
Add another rule which must be after the deny which allows all other devices.

If the gaming device connects to the SSID the NAC should authenticate it with the deny role and other devices get the allow role.

I've tried it and it works for the PS4 but unfortunately the XBOX One is identified as device type "Windows".

So you'd need to open a ticket so the GTAC could try to add a better fingerprint.
They have done it for me with the right data within a day for some other devices.
Here a link what data they need from you....
https://gtacknowledge.extremenetworks.com/articles/How_To/NAC-Troubleshooting-Tips-Debug-Methodology...

-Ron
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 48,764 Points 20k badge 2x thumb
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 48,894 Points 20k badge 2x thumb
Could you please tell what kind of EAP authentication is used..... PEAP or TLS (username/password or client certificates).

- connect to the staff SSID with student credentials
That sounds like something is not configured correctly as I don't think that a student account should be able to connect to the staff SSID.

-Ron
Photo of Renne Stuart

Renne Stuart

  • 260 Points 250 badge 2x thumb
I'm not sure Ron, ill check and get back to you.
Photo of Karthik

Karthik

  • 450 Points 250 badge 2x thumb
NAC BYOD would be the best solution. But what I would like to check is, anybody here done DHCP fingerprinting before?

-Karthik.
Photo of Doug Hyde

Doug Hyde, Technical Support Manager

  • 20,514 Points 20k badge 2x thumb
We recommend it and deploy it all the time Karthik, did you have any questions on it?