Solved

advice on client scheduling and restrictions

  • 30 July 2020
  • 6 replies
  • 102 views

In a school environment we have user profiles that have appropriate availability schedules based on student age levels , bedtime disconnection of client devices, different weekend schedules to school day schedules etc. This  has worked for couple of years ok, Apart from the overnight disconnected state causes the networks health scores to look really bad permanately

Now I am tasked with users needing access to one site (semi permanently) so basically some sort of firewall policy involved that overides the actual permitted scheduled hours for that site/app. One particular site that needs wifi but all other access is regulated to the predetermined times.

 

So looking for possible redirection of user profiles depending on time schedules

or

Do I actually reconfigure to have  students connected 24hrs a day, with dns, ip etc, (solving the health scores hopefully)

and then have some sort of complex firewall policy with time based allowance levels or redirections to allow or disconnect internet traffic to schedules.

i don’t actually think what i’m asking is achievable without 3rd party firewall controls externally to aerohive but open to suggestions

icon

Best answer by Sam Pirok 10 September 2020, 14:47

Thank you for clarifying, I don’t think that is something we can do in the XIQ set up, I believe you would need to use your network firewall for that level of granular control. 

View original

6 replies

Userlevel 4

Thank you for your patience while we looked in to this for you. If you go in to the SSID User Profile section and check “Apply a different user profile to various clients and user groups”, you should then see the scheduling section. To allow access to one site while keeping your other rules/restrictions in place, just add the rule allowing access to the permanently accessible site first, and then the rest of your rules after that. The rules are applied in a top down order, so the rule to allow access to that site will be applied before any of the rules restricting access to other sites are applied. Is that what you were looking for?

Hi Sam

Thanks But that’s confused me totally. The SSID user profile section doesn’t have a scheduling section that I can see?

there is a SSID schedule setting under additional settings but can’t see that’s relevant.

We have a list of user profiles under the “apply different user profiles to various clients and user groups”

each one is, through radius selecting a year group and has a corresponding assignment rule and an availability schedule already setup in the user profile

are you saying to create a new user profile at the top of the list when you say rule?

a profile using the same criteria of radius attributes, vlan assignments etc as the existing profile but with its own independent schedule and a traffic firewall that will apply first because its higher in the list.

Userlevel 4

I’m sorry for the confusion, if you go in to your Network Policy> Open the SSID> Open the User Profile> Go to the Availability Schedule, you should the scheduling options. If you already have all the user profiles assigned to the right users at the right times, you likely don’t need to alter the schedules and would just want to add that extra rule at the top of any firewall lists to allow the webpage. 

So it’s not a new user profile, it’s a new rule in the firewall rules within the user profiles you are already using. That means you will want to open all the user profiles this new rule will apply to, go to the Security tab within the user profile, and add a rule allowing access to the new web page. Make sure the new firewall rule is moved to the top of the firewall rule list so it is applied first before any other rules blocking access are applied. 

Thanks, I think I havn’t explained my problem well hence the confusion.

I understand the scheduling and the firewall access top down list. Currently we have time scheduled profiles with no firewall rules. Surely if you apply any firewall rule to a user profile that access is controlled by the schedule before the firewall rule is assessed.

I’m trying to allow access to the single site overriding or independent of the scheduling of the user profile.

Which I guess is a firewall rule that has its own schedule or the ability to allocate/change  user profiles based on times scheduling

 

Userlevel 4

Thank you for clarifying, I don’t think that is something we can do in the XIQ set up, I believe you would need to use your network firewall for that level of granular control. 

thanks for investigating and forum support

Reply