Header Only - DO NOT REMOVE - Extreme Networks
Question

How reject Android/iOS devices

  • 21 April 2020
  • 9 replies
  • 252 views

Hi all.
I would like to submit a question, my access points are configured with two radio networks: one corporate and one dedicated to mobile devices.
These two radio networks are on different vlan.
Many users uses the corporate network for their own mobiles, so my question is: is it possible to create a rule how reject all Android/iOS devices (by MAC OUI/other) if a device tries to connect to that network? 
If yes, how can I do?

I hope I was clear, if not, don't hesitate to ask.

Thanks for your time
Mauro


My setup is:
- VX9000 controller version 5.9.1.3-007R
- Access points: AP-8432, AP-7632, AP-7522


9 replies

Userlevel 6

Hello!
 

You can use device fingerprinting.

https://documentation.extremenetworks.com/WiNG/5.9.7/WCSRG/downloads/WiNG_5.9.7_Controller_System_Reference_Guide.pdf

From page 864

 

Thank you!

Thanks for your reply.

Now I configured my device fringer print group, how can I apply this group to a policy who deny these “fingerprint” to connect to a specifc SSID?

 

Thanks again

Userlevel 6

Hello Mauro,

 

Check step 2 of this article for instructions on mapping the ACL to the WLAN:

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-create-an-Association-ACL-using-CLI

From GUI:

Configuration » Wireless » Select the WLAN you want to apply this to » Edit » Firewall » Association ACL » Select the ACL you created from the drop down menu » OK » Commit and Save

 

Thank you,

 

Chris

Userlevel 6

VERY IMPORTANT:

 

If you created an association ACL, there is an explicit Deny All rule at the end of the ACL (you can’t see it but it’s there) so it is imperative that you add an allow all rule in your ACL or else all traffic will be denied. 

 

Add this line at end of your ACL after you’ve entered all the deny rules:

 

Chris

 

Thanks Chris for your support, it’s very usefull in order to block/allow specific MAC.

Do you know if there’s a better way to block/allow an entire brand (all iphones/ipad) without write by hand every single mac oui?

Userlevel 6

The only way I see is to block the whole OUI range but I believe that these manufacturers have many OUIs in there repertoire. 

 

To block whole OUI range you can use the following rule in GUI:

Example of 00-10-FA Apple OUI:

 

There is no option to create a MAC ACL by manufacturers brand name. 

 

Chris

Userlevel 4

HI Mauro,

 

In addition to what Alexandr suggested in regards to DHCP finger printing.
You need to use roles this should also be in the system ref guide.
This will allow better containment than a association ACL based soley on Mac address.

Please see link to find document regard role based firewall.
https://gtacknowledge.extremenetworks.com/articles/Q_A/Where-can-I-find-documentation-for-WiNG-Role-Based-Firewall

First of all, thanks everybody for your help.

With some bash scripts and a lot of patience I start to develop my own “blacklist” (and, thanks to you all, it works!).

 

Last question: if I have a specific MAC address to allow, it should be inserted on the top or in the bottom of the list (before the allow all)?

Sorry, I told it was the last question but I’ve another one.

Due to the large amount of MAC OUI to deny (every ACL max limit is 1000 elements), is it possible to create a group of ACL in order to associate more lists to a single group? GUI doesn’t premit to add more than one ACL but I’ve more than 2000 MAC.

Reply