Wireless Access

In order to fix an issue we have, Im wondering if I can do anything that could put all apple devices on a different vlan than the one for the SSID?  I cant just change the vlan for the ssid, and this would then break lots of other stuff, im just trying to seperate the apple evices...

 

I did consider an authentication/user rule using the apple mac identifier, but cant see how I could get this to only apply to device on a particular ssid...  I dont want this to affect apple devices on other ssids... 

 

Thanks

Do you have ClearPass?

Yes we have clearpass, and could onboard them, but I think there are other things we need to consdier before doing this, and was just looking for a quick fix to a problem... while we work out the best solution...

 

Id assumed if we simply dropped the device on a dfferent vlan, it would pick up the appropriate address...

 

Ill check out the dhcp fingerprinting info.. thanks....

 

 

 

The main problem with this is that if you change the VLAN of a device, it will continue to think it has the same ip address and you will create a connectivity issue.

 

The short answer is no.

 

You can use "aaa user add" to change the role of an existing device indivdually and possibly the VLAN, but that creates the issue above.

 

 Please see the attached DHCP Fingerprinting technote.    Specifically the User Role Derivation section.

 

EDIT; I mistook your post for role assignment, not VLAN mapping.

EDIT; I mistook your post for role assignment, not VLAN mapping.   However, if you do have ClearPass and the devices are already profiled as Apple specific devices, you can use CPPM to return an appropriate VLAN to the controller.

couldn't you just enhance the service so that if it detects its an Apple device, you assign an Apple specific profile with the required vlan number returned back to the controller/iAP? I don't think it needs a full onboard

That would work the second time the device authenticated if you're doing a MAC auth. 


Thanks, 
Tim