Hi Ajin,
You need to profiling your endpoints and that's where you need Aruba ClearPass for. Without ClearPass you can use some classic (less secure) method to use PSK-Personal+Mac authentication, but you need to manage all mac-adresses you want allowed.
Note: All mac-adresses can be sniffed from the air (802.11 frames) without any need to connect to the network, so also mac-address filtering is not secure and can be spoofed easily.
If we dive any deeper in how we get online we have the following phases:
1. 802.11 association / 802.11 authentication
2. Authentication / Encryption
3. IP assigned (DHCP)
4. Default Role
5. Network Access
In phase 2 we have the WPA2-Personal authentication where we known nothing about the client and have no way to filter "clients types" from each other.
What ClearPass does; First we use WPA2-Enterprise (RADIUS) which give much more insight in the authentication and is much more secure. Secondly ClearPass use phase 3 to get profiling information based on the DHCP request of the client. ClearPass now knowns it's a mobile device, send a Change of Authorization (COA) message, client re-connect and start the process again. This time we known this client and will be blocked in phase 2 of the authentication process based on a ClearPass security policy. Normally there are two vlans uses for this process; one onboarding vlan with less rights and one client vlan.
When take security seriously you have definitely move to WPA2-Enterprise with a RADIUS server, where Aruba ClearPass is the best solution to achieve this.
------------------------------
Marcel Koedijk | MVP Guru 2021 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opionions are my own
------------------------------
Original Message:
Sent: Sep 30, 2021 01:56 AM
From: Ajin Skariah
Subject: Block Mobile Devices on SSID
Hello,
I have a 7030 mobility controller running 8.6.x software. I have a requirement in one particular SSID to not allow any mobile devices (iOS and android) to connect. The authentication method is PSK. How do I achieve this without clearpass solution. I have PEFNG licenses installed.
Thanks,
------------------------------
Ajin Skariah
------------------------------