Security

Reply
Contributor I
Posts: 29
Registered: ‎01-26-2012

iPAD and iPHONES, how to see the difference?

I have a costumer that uses iPAD’s in production. They want to allow iPAD’s but disallow iPHONES (and all other smart devices) to the network.  They do not want to use MAC-authentication.  I have looked into BYOD and it looks as iPhones and iPads are sending the same DHCP fingerprint. But the controller sees the difference (client à device types). Do anyone know how to use User Rules for this?  

Guru Elite
Posts: 21,029
Registered: ‎03-29-2007

Re: iPAD and iPHONES, how to see the difference?

[ Edited ]

tom.christensen@nordialog.no wrote:

I have a costumer that uses iPAD’s in production. They want to allow iPAD’s but disallow iPHONES (and all other smart devices) to the network.  They do not want to use MAC-authentication.  I have looked into BYOD and it looks as iPhones and iPads are sending the same DHCP fingerprint. But the controller sees the difference (client à device types). Do anyone know how to use User Rules for this?  


You are correct; the DHCP signature for an iPad and iPhone are the same.  You can only use the DHCP fingerprint for a user derivation rule.  The controller sees the difference in devices by inspecting the browser string, but we cannot create a user derivation rule based on a browser string.  Browser strings are unreliable and can be faked, anyway, so that would not  be a reliable method to disallow access.

 

What are the iPads using for access to the network, currently?



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I
Posts: 29
Registered: ‎01-26-2012

Re: iPAD and iPHONES, how to see the difference?

The iPADs are using the WLAN with 802.1x authentication.

Guru Elite
Posts: 21,029
Registered: ‎03-29-2007

Re: iPAD and iPHONES, how to see the difference?


tom.christensen@nordialog.no wrote:

The iPADs are using the WLAN with 802.1x authentication.


Well, you have a two-fold issue:  Any handheld device can get on using 802.1x.

 

You might want to create an WPA2-PSK SSID specifically for iPads and other non-domain devices that you want on your network.  For your 802.1x SSID you might want to turn on "Enforce Machine Authentication" in the 802.1x profile to ensure that only domain devices get on that network.  Please check out the thread here:  http://community.arubanetworks.com/t5/Security-WIDS-WIPS-and-Aruba-ECS/Machine-amp-User-Authentication-iPhones-getting-online/m-p/1638/highlight/true#M18

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: