restrict device type connecting to wireless


Is there a way of restricting the type of device that is allowed to connect to an SSID? One of our customers has an SSID that is enabled for Radius authentication and unless you have a laptop that is part of the domain it will not be allowed to connect, which is what they want. However the exception to this is if a user has a mobile device such as an android or apple device they are able to download a certificate once they authenticate with their domain credentials and connect. Is there a way of stopping the mobile devices connecting?

Customer comments below:
From what I can tell with the wifi, is that - with or without a Radius policy (if its not a domain joined laptop) you can’t seem to logon with staff or student credentials which is fine. However with Andrio\IOS tested on ipad and phone, you can log onto "staff_SSID" with staff or student credentials and also, even before you get to smoothwall to sign in, Apps will update such as Facebook.

Ideally Id like to lock down the Staff to work effectively without mobile and apple devices being able to connect.

Ipad asks to trust the school DC Cert and then lets you in. Android lets you straight in.

They currently have a v9 wireless controller without NAC.

11 replies

Userlevel 3
I think the solution you're looking for is MAC Authentication, which can be applied in addition to RADIUS authentication for a VNS/WLAN Service/SSID. In this case, you are requiring that the MAC address of a given WLAN device be checked against a list of predetermined allowable MAC addresses, and if the device isn't in that list, then that client will be denied access.
Hawkins, Bruce wrote:

I think the solution you're looking for is MAC Authentication, which can be applied in addition to RADIUS authentication for a VNS/WLAN Service/SSID. In this case, you are requiring that the MAC address of a given WLAN device be checked against a list of predetermined allowable MAC addresses, and if the device isn't in that list, then that client will be denied access.

i might give this a try and see where we get to, thanks.
Userlevel 4
If the customer was interested in NAC, this is where you would typically check for these types of settings. Our NAC solution has the ability to detect device types, and based off that device type, it can make a decision about what to do for that user. That decision may be to deny access to the SSID so they cannot connect.

So for your scenario, users may be able to connect with their domain credentials or certificates, but if the device type is a mobile device, then it will be denied and they will not connect to the SSID.
Tyler Marcotte wrote:

If the customer was interested in NAC, this is where you would typically check for these types of settings. Our NAC solution has the ability to detect device types, and based off that device type, it can make a decision about what to do for that user. That decision may be to deny access to the SSID so they cannot connect.

So for your scenario, users may be able to connect with their domain credentials or certificates, but if the device type is a mobile device, then it will be denied and they will not connect to the SSID.

thanks, ill see where we get to with mac-authentication otherwise will suggest NAC if they really want this feature
Tyler Marcotte wrote:

If the customer was interested in NAC, this is where you would typically check for these types of settings. Our NAC solution has the ability to detect device types, and based off that device type, it can make a decision about what to do for that user. That decision may be to deny access to the SSID so they cannot connect.

So for your scenario, users may be able to connect with their domain credentials or certificates, but if the device type is a mobile device, then it will be denied and they will not connect to the SSID.

We have NAC and would like to block Game Devices like Playstations from our SSIDs. How would we go about doing that?
Userlevel 7
Tyler Marcotte wrote:

If the customer was interested in NAC, this is where you would typically check for these types of settings. Our NAC solution has the ability to detect device types, and based off that device type, it can make a decision about what to do for that user. That decision may be to deny access to the SSID so they cannot connect.

So for your scenario, users may be able to connect with their domain credentials or certificates, but if the device type is a mobile device, then it will be denied and they will not connect to the SSID.

1. neither support 802.1X as far as I'm aware
2. you can't "block" them - you'd just put them in a "deny" role, so they would be connected to the SSID but can't rx/tx any data and hopefully the owner of the device will not longer try to access the SSID

So in case you use a PSK SSID just enable MAC based authentication and use the NAC for authentication.
Add a rule with "device type group" gaming and a deny profile.
Add another rule which must be after the deny which allows all other devices.

If the gaming device connects to the SSID the NAC should authenticate it with the deny role and other devices get the allow role.

I've tried it and it works for the PS4 but unfortunately the XBOX One is identified as device type "Windows".

So you'd need to open a ticket so the GTAC could try to add a better fingerprint.
They have done it for me with the right data within a day for some other devices.
Here a link what data they need from you....
https://gtacknowledge.extremenetworks.com/articles/How_To/NAC-Troubleshooting-Tips-Debug-Methodology...

-Ron
Userlevel 7
Tyler Marcotte wrote:

If the customer was interested in NAC, this is where you would typically check for these types of settings. Our NAC solution has the ability to detect device types, and based off that device type, it can make a decision about what to do for that user. That decision may be to deny access to the SSID so they cannot connect.

So for your scenario, users may be able to connect with their domain credentials or certificates, but if the device type is a mobile device, then it will be denied and they will not connect to the SSID.

Userlevel 7
Could you please tell what kind of EAP authentication is used..... PEAP or TLS (username/password or client certificates).

- connect to the staff SSID with student credentials
That sounds like something is not configured correctly as I don't think that a student account should be able to connect to the staff SSID.

-Ron
Ron wrote:

Could you please tell what kind of EAP authentication is used..... PEAP or TLS (username/password or client certificates).

- connect to the staff SSID with student credentials
That sounds like something is not configured correctly as I don't think that a student account should be able to connect to the staff SSID.

-Ron

I'm not sure Ron, ill check and get back to you.
Userlevel 1
NAC BYOD would be the best solution. But what I would like to check is, anybody here done DHCP fingerprinting before?

-Karthik.
Userlevel 7
Karthik wrote:

NAC BYOD would be the best solution. But what I would like to check is, anybody here done DHCP fingerprinting before?

-Karthik.

We recommend it and deploy it all the time Karthik, did you have any questions on it?

Reply