This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

restrict device type connecting to wireless

restrict device type connecting to wireless

Renne_Stuart
New Contributor

‎07-02-2015 09:26 AM

Is there a way of restricting the type of device that is allowed to connect to an SSID? One of our customers has an SSID that is enabled for Radius authentication and unless you have a laptop that is part of the domain it will not be allowed to connect, which is what they want. However the exception to this is if a user has a mobile device such as an android or apple device they are able to download a certificate once they authenticate with their domain credentials and connect. Is there a way of stopping the mobile devices connecting?

Customer comments below:
From what I can tell with the wifi, is that - with or without a Radius policy (if its not a domain joined laptop) you can’t seem to logon with staff or student credentials which is fine. However with Andrio\IOS tested on ipad and phone, you can log onto "staff_SSID" with staff or student credentials and also, even before you get to smoothwall to sign in, Apps will update such as Facebook.

Ideally Id like to lock down the Staff to work effectively without mobile and apple devices being able to connect.

Ipad asks to trust the school DC Cert and then lets you in. Android lets you straight in.

They currently have a v9 wireless controller without NAC.

0 Kudos
11 REPLIES 11

TylerMarcotte
Extreme Employee

‎07-02-2015 04:08 PM

If the customer was interested in NAC, this is where you would typically check for these types of settings. Our NAC solution has the ability to detect device types, and based off that device type, it can make a decision about what to do for that user. That decision may be to deny access to the SSID so they cannot connect.

So for your scenario, users may be able to connect with their domain credentials or certificates, but if the device type is a mobile device, then it will be denied and they will not connect to the SSID.
0 Kudos

Ronald_Dvorak
Honored Contributor
In response to TylerMarcotte

‎07-02-2015 04:08 PM

e4f64c6168db4575bb8fa4cabed4fe84_RackMultipart20150826-27329-6q011n-NAC_gaming_inline.png


0 Kudos

Ronald_Dvorak
Honored Contributor
In response to TylerMarcotte

‎07-02-2015 04:08 PM

1. neither support 802.1X as far as I'm aware
2. you can't "block" them - you'd just put them in a "deny" role, so they would be connected to the SSID but can't rx/tx any data and hopefully the owner of the device will not longer try to access the SSID

So in case you use a PSK SSID just enable MAC based authentication and use the NAC for authentication.
Add a rule with "device type group" gaming and a deny profile.
Add another rule which must be after the deny which allows all other devices.

If the gaming device connects to the SSID the NAC should authenticate it with the deny role and other devices get the allow role.

I've tried it and it works for the PS4 but unfortunately the XBOX One is identified as device type "Windows".

So you'd need to open a ticket so the GTAC could try to add a better fingerprint.
They have done it for me with the right data within a day for some other devices.
Here a link what data they need from you....
https://gtacknowledge.extremenetworks.com/articles/How_To/NAC-Troubleshooting-Tips-Debug-Methodology...

-Ron
0 Kudos

Kent_Sapp
New Contributor
In response to TylerMarcotte

‎07-02-2015 04:08 PM

We have NAC and would like to block Game Devices like Playstations from our SSIDs. How would we go about doing that?
0 Kudos

Renne_Stuart
New Contributor
In response to TylerMarcotte

‎07-02-2015 04:08 PM

thanks, ill see where we get to with mac-authentication otherwise will suggest NAC if they really want this feature

0 Kudos
GTM-P2G8KFN