This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

User Profile Client Classification/Assigment

User Profile Client Classification/Assigment

AnonymousM
Valued Contributor II

‎09-02-2019 02:35 AM

A customer has a client classification in their default untrusted user profile which moves the client to the trusted VLAN based on domain name string (wildcard).

 

This essentially allows their 802.1x Corp SSID to be used for both domain corp laptops and staff BYOD.

 

Is this possible in NG under User Profile Assignment? 

 

I have not seen this done, normally have offered one 802.1x ssid for Corp and another 802.1x ssid for BYOD to allow staff to join using AD credentials.

 

e27a05dd6d1743bab71a7e4840ef0538_0690c000008s7VtAAI.png

This image shows the config in Classic for the Domain Client Classification object:

Capture

0 Kudos
7 REPLIES 7

mmarengo
New Contributor

‎03-10-2020 05:45 PM

 

I am running into a similar scenario. I am trying to use Classification Rules using Domain Objects to push clients to a different User Profile but I have not got much luck unless I leave all the options to any-any

 

Here is my set up.

 

  1. The SSID is using Radius
  2. The Radius Server MS NPS forwards the connection request to an external Radius Server "ANYROAM"
  3. Clients get authenticated and put on the default vlan 100
  4. Using Classification Rules, Aerohive HM Classic pushes all clients to vlan 425

 

The goal will be to NOT push all clients to vlan 425, only the ones coming from certain domain name.

 

Whenever I try to configure a domain object with the domain example.edu, it looks to be ignored by aerohive and users are put on the default vlan.

 

I am not able to use NPS to send any attributes or a network policy because the request for this connection is forwarded to an external Radius Server

 

Any ideas suggestions will be much appreciate it.

Thank you,

 

0 Kudos

AnonymousM
Valued Contributor II

‎09-03-2019 10:32 AM

Thanks Ashley, that sounds a good plan. The domain hostname is used to distinguish a machine certificate based corp laptop, from a BYOD device which is authenticated using AD credentials. Places the device in either the trusted or untrusted default user profile.

Just to confirm there is only a single domain - the multiple lines were different wildcard variations.

Is there a RADIUS Attribute that can be used to classify whether the machine certificate is not returned or returned. If not returned then classifies client as BYOD, but if certificate passes, then classified as corp client machine.

 

0 Kudos

ashley_finch
Contributor III

‎09-03-2019 09:05 AM

The link isn't working for me either.

 

Instead of the above, could you enable "Allow user profiles assignment using RADIUS attributes" and then return a specific attribute that would then place the user in a particular user profile?

You mentioned that they're using domain names to separate this at the moment, are these part of the username e.g. user1@example.com? Then you may be able to use the 1_User-name attribute and return the example.com for a particular profile, then a different one for the others. I guess setup may not reflect that and it's not something I've set up in that way before, but trying to think outside the box!

0 Kudos

AnonymousM
Valued Contributor II

‎09-02-2019 06:15 PM

Hi, thanks for the file. yep I was logged in for the URL.

 

It appears it is no longer possible in NG to select/classify clients based on their laptop Domain Name, like in Classic.

 

The options are limited to OS, MAC, location and Schedule.

 

I will see if the customer is happy to use a second SSID for this now.

 

Thanks

0 Kudos
GTM-P2G8KFN