We are trying to find the best way to integrate IOT devices into our wireless environment while still keeping them segmented from our network. Currently, we have an inherited guest setup that requires T&C acceptance via a captive portal with MAC Authenitication/MAC Caching via guest on the back end. What is the best practice regarding IOT? Two things that come to my mind. One: To create a static host list for the IOT devices, if they match the SHL, then a COA would be sent to change their VLAN to a segmented network. Then via our Palo Alto Firewall, we would pair down their access based on the assigned vlan. Two: to allow them to connect to guest via an entry in the static host list and leave them there.
It seems dirty and that there would be a better way than to use MAC Caching, but I can't think of a way that would trigger the device to another VLAN when it is connecting via the same guest network as all the other smart devices...
Any thoughts are helpful.
Thanks!