This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Legacy
- Aerohive Migrated Content
- Re: Can aerohive block certain device types ?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Can aerohive block certain device types ?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
08-20-2018 04:08 AM
Hi Team,
I have some questions regarding aerohive
Can AeroHive block certain device types; for example based on the operating system version that the device use, or based on whether it’s a phone or a tab or laptop?
Can Aerohive provide AD functionality on the cloud? For example, to authenticate user from cloud. This is to provide resiliency against local AD failures.
Solved! Go to Solution.
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
08-20-2018 06:18 PM
Hello, yes we either do this via the user profile MAC firewall policy, or with client classification.
To do this via the MAC firewall you'll want to open the SSID object> Open the user profile> On the Security tab toggle Firewall Rules to "On"> Select MAC Firewall> Add> Fill in the Source MAC field with the OS you want to block> Set the Destination MAC to "Any" > Change the Action to "Deny"> Save. This will block any devices with the specified OS from connecting to this SSID.
To do this with client classification, you will want to create a default user profile for users you do want on your network> check the box directly under the user profile next to "Apply a different user profile to various clients and user groups"> Add> Create a second user profile on a VLAN that does not exist (so clients that connect with this user profile can not fully connect)> Click on the plus icon under "Assignment Rules"> Click on the plus icon in the small User Profile Assignment window that comes up and select the type of classification you would like to use (OS, MAC, Location, or Schedule). Once this is in place, any clients connecting that match the criteria you set for classification type will be moved to this secondary user profile, which does not have an active VLAN so all traffic will drop.
You can also do this in reverse by having a default user profile with a dead VLAN, and a secondary user profile with an active VLAN that clients can reach only if they match the criteria you set in the assignment rules, whichever way works best for your deployment.
As for your AD question, we can host local Radius users on the HiveManager, but this doesn't really equal an AD. We can link the Radius set up to any external AD you have, so you could change over to a backup in the case of a local failure.
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
08-31-2018 02:51 AM
Thank you Sam
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
08-21-2018 02:08 PM
Hello, yes exactly. The AP will detect the OS type of the device based on the DHCP Option 55 parameters that the device will submit when connecting, and then it will classify the device from there. If we ever run in to a device that isn't classifying correctly, we'd just need a packet capture to find the Option 55 parameters of that client, so we can add a new OS object to the HiveManager so we can identify that client device in the future.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
08-21-2018 03:08 AM
Hi Sam,
Thank you for the explanation. So basically hive can identify the whether it is phone or laptop, based on that we can fine tune, ryt ?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
08-20-2018 06:18 PM
Hello, yes we either do this via the user profile MAC firewall policy, or with client classification.
To do this via the MAC firewall you'll want to open the SSID object> Open the user profile> On the Security tab toggle Firewall Rules to "On"> Select MAC Firewall> Add> Fill in the Source MAC field with the OS you want to block> Set the Destination MAC to "Any" > Change the Action to "Deny"> Save. This will block any devices with the specified OS from connecting to this SSID.
To do this with client classification, you will want to create a default user profile for users you do want on your network> check the box directly under the user profile next to "Apply a different user profile to various clients and user groups"> Add> Create a second user profile on a VLAN that does not exist (so clients that connect with this user profile can not fully connect)> Click on the plus icon under "Assignment Rules"> Click on the plus icon in the small User Profile Assignment window that comes up and select the type of classification you would like to use (OS, MAC, Location, or Schedule). Once this is in place, any clients connecting that match the criteria you set for classification type will be moved to this secondary user profile, which does not have an active VLAN so all traffic will drop.
You can also do this in reverse by having a default user profile with a dead VLAN, and a secondary user profile with an active VLAN that clients can reach only if they match the criteria you set in the assignment rules, whichever way works best for your deployment.
As for your AD question, we can host local Radius users on the HiveManager, but this doesn't really equal an AD. We can link the Radius set up to any external AD you have, so you could change over to a backup in the case of a local failure.
