Extreme Networks

david_fig · ‎07-23-2018

We have two (2) wireless networks (SSID) that are on different subnets (192.168.x.x/24 - corporate) and (172.16.x.x/24 - guest). I need to BLOCK all mobile phones from the corporate network (192.168.x.x/24) and only allow them on the guest network (172.16.x.x/24). I haven't found an effective way to do this other than blocking MAC addresses one-by-one. I simply need a policy that does not allow Android or IOS operating systems on the corporate network. Any assistance would be appreciated.

samantha_lynn · ‎07-24-2018

Great, I see you've tagged this as HiveManager (formerly NG), so the instructions that follow would be for that platform.

You would want to open the SSID and go down to the user profile section. Check the box next to "Apply a different user profile to various clients and user groups", then add a user profile to the new section you have (the one we want to direct the mobile devices to). Once you've added the new user profile, click on the small plus icon next to Assignment Rules. You can name the rule whatever you'd like, then click on the plus icon and select Client OS type. Next select the OS types you would like to block and save.

This will direct the OS types you specified to the secondary user profile, which can be on a dead VLAN to drop the traffic all together, or have different rules and restrictions applied to it, whatever works for you.

Please let me know if I can clarify anything. I'll work on getting a how-to guide made for this process for the HiveManager (formerly NG) platform.

View solution in original post

ITS3 · ‎05-18-2022

Hi there,
I'm interrested in the HOWTO guide on this too. Are you able to share?

Thank you.

david_fig · ‎08-03-2018

Thank you for your input - much appreciated!! We are doing a complete network refresh and have lots of moving parts.

samantha_lynn · ‎07-26-2018

You'd want to put the users in different user profiles, so you can assign different VLANs, so they can reach their respective subnets. This is very similar to what we did above, using rules to assign different users to different user profiles, only this time it won't be for dead VLANs. You'd have to find a way to classify the users, to tell them apart for the sorting in to the different user profiles. You're options for classifying users are: User group, OS type, MAC address, Client location, and Schedule. For your use case, if you have Maps set up for your different locations with the APs placed on the maps, I would say sorting by Client location would be easiest, unless you are already separating them in to different PPSK user groups.

david_fig · ‎07-26-2018

One last thing outside of this QUESTION - we are new to Aerohive and want to roll it out to our other eight (8) locations. If you can point to a HOWTO guide to implement a single policy for multiple sites when each site is it's own subnet. For example:

Site A: 192.168.1.x

Site B: 192.168.2.x

Site C: 192.168.3.x

you get the idea.

Thanx in advance.

Extreme Networks

BLOCK mobile phones on corporate SSID but ALLOW them on guest SSID

BLOCK mobile phones on corporate SSID but ALLOW them on guest SSID