Wireless Access

last person joined: 18 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

DHCP fingerprint deny smartphone and tablet access but allow some to access

This thread has been viewed 1 times

  • 1.  DHCP fingerprint deny smartphone and tablet access but allow some to access

    Posted Apr 10, 2013 04:41 AM

    I have help my customer create a User-Derived Role to deny the smartphone and tablet access the "Office SSID", which is based on OS DHCPfingerprint. But now my customer want to allow few tablet user access to "Office SSID". I did try to create a policy to allow few tablet user allow to access "Office SSID" based on the device IP address, but have some problem:

     

    1. Cannot straightaway connect to "Office SSID", need to connect to "Guest SSID" first then disconnect it and connect back to"Office    

        SSID" it work fine. "Guest SSID" authentication use WPA2 and "Office SSID" use 802.1x. (At Building A)

     

    2. If user move to "Building B" the tablet user not able to access "Office SSID, because "Building B" doesn't have "Guest SSID" cause  

        office policy not allow.

     

    Is there any other way to allow few tablet user (Android OS) to access "Office SSID" but still deny access for all other tablet user?

     

    Please advise



  • 2.  RE: DHCP fingerprint deny smartphone and tablet access but allow some to access

    EMPLOYEE
    Posted Apr 10, 2013 06:42 AM

    If you are only allowing laptops on, why don't you turn on enforce machine authentication and then create exceptions in the local user database for the mobile devices that you want to allow on?

     



  • 3.  RE: DHCP fingerprint deny smartphone and tablet access but allow some to access

    Posted Apr 10, 2013 08:38 AM
    @cjoseph wrote:

    If you are only allowing laptops on, why don't you turn on enforce machine authentication and then create exceptions in the local user database for the mobile devices that you want to allow on?

     

    I cannot turn on Enforce Machine Authentication because my customer environment doesn't support it because have some problem when enable it. My customer just want allow few tablet user (Android OS) able to access and all other are not allow. My customer want allow Windows and Mac OS laptop to access the "Office SSID".

     

    Just want to confirm If i create a Derive Role with DHCPfingerprint deny policy does it always take precedence the "allow policy" even i have define the IP address for the device? 

     

    Please advise.



  • 4.  RE: DHCP fingerprint deny smartphone and tablet access but allow some to access
    Best Answer

    EMPLOYEE
    Posted Apr 11, 2013 05:56 PM

    The rules that make changes based on DHCP fingerprint are user derivation rules.  Those would be the same rules that you would use to make exceptions for mac addresses of devices.  If you only had a device or two to manage, this would be workable.  More than that and it is not a good way to do it.  Basically you would end up doing DHCP fingerprinting for every type of device to ensure that they are allowed to connect.  I do not know enough about your setup to propose a workable solution.