Wireless Access

Reply
Regular Contributor I
Posts: 188
Registered: ‎03-22-2013

Can I grab all apple devices from an SSID and drop them on another vlan?

In order to fix an issue we have, Im wondering if I can do anything that could put all apple devices on a different vlan than the one for the SSID?  I cant just change the vlan for the ssid, and this would then break lots of other stuff, im just trying to seperate the apple evices...

 

I did consider an authentication/user rule using the apple mac identifier, but cant see how I could get this to only apply to device on a particular ssid...  I dont want this to affect apple devices on other ssids... 

 

Thanks

Guru Elite
Posts: 8,643
Registered: ‎09-08-2010

Re: Can I grab all apple devices from an SSID and drop them on another vlan?

Do you have ClearPass?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Guru Elite
Posts: 21,281
Registered: ‎03-29-2007

Re: Can I grab all apple devices from an SSID and drop them on another vlan?

The main problem with this is that if you change the VLAN of a device, it will continue to think it has the same ip address and you will create a connectivity issue.

 

The short answer is no.

 

You can use "aaa user add" to change the role of an existing device indivdually and possibly the VLAN, but that creates the issue above.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Aruba
Posts: 1,644
Registered: ‎04-13-2009

Re: Can I grab all apple devices from an SSID and drop them on another vlan?

[ Edited ]

 Please see the attached DHCP Fingerprinting technote.    Specifically the User Role Derivation section.

 

EDIT; I mistook your post for role assignment, not VLAN mapping.

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Regular Contributor I
Posts: 188
Registered: ‎03-22-2013

Re: Can I grab all apple devices from an SSID and drop them on another vlan?

[ Edited ]

Yes we have clearpass, and could onboard them, but I think there are other things we need to consdier before doing this, and was just looking for a quick fix to a problem... while we work out the best solution...

 

Id assumed if we simply dropped the device on a dfferent vlan, it would pick up the appropriate address...

 

Ill check out the dhcp fingerprinting info.. thanks....

 

 

 

Aruba
Posts: 1,644
Registered: ‎04-13-2009

Re: Can I grab all apple devices from an SSID and drop them on another vlan?

[ Edited ]

EDIT; I mistook your post for role assignment, not VLAN mapping.   However, if you do have ClearPass and the devices are already profiled as Apple specific devices, you can use CPPM to return an appropriate VLAN to the controller.

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Contributor II
Posts: 41
Registered: ‎05-15-2014

Re: Can I grab all apple devices from an SSID and drop them on another vlan?

couldn't you just enhance the service so that if it detects its an Apple device, you assign an Apple specific profile with the required vlan number returned back to the controller/iAP? I don't think it needs a full onboard
Guru Elite
Posts: 8,643
Registered: ‎09-08-2010

Re: Can I grab all apple devices from an SSID and drop them on another vlan?

That would work the second time the device authenticated if you're doing a MAC auth. 


Thanks, 
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: