Community Feedback

 View Only
last person joined: 21 hours ago 

How is the community doing? Do you have any questions or feedback related for the Airheads Community team? This is the place to let us know.
Back to discussions
Expand all | Collapse all

Does anyone know if we can stop cellular devices from connecting to specific SSID?

This thread has been viewed 26 times

  • 1.  Does anyone know if we can stop cellular devices from connecting to specific SSID?

    Posted Jan 27, 2023 02:23 PM
    I have an SSID that I would like to stop Cellular devices from being able to connect to. 
    We currently have them set so they are unable to authenticate BUT they are still consuming IPs from a DHCP scope. 
    - attempts to shorten the DHCP lease time have helped a little but have not completely averted the problem. 
    - More IP's were thrown at the DHCP scope but they have quickly been chewed up. 

    We were thinking if there was a way to stop them from connecting in the first place they would never get an IP. 

    Thanks, 
    Dave


  • 2.  RE: Does anyone know if we can stop cellular devices from connecting to specific SSID?

    Posted Jan 29, 2023 03:18 PM
    the only way to really achieve this practically is to implement a pre-shared-key to stop devices connecting or even better implement 802.1x with EAP-TLS and machine authentication. this way the device will not be able to obtain an IP until it has completed authentication at Layer 2
    Original Message


  • 3.  RE: Does anyone know if we can stop cellular devices from connecting to specific SSID?

    EMPLOYEE
    Posted Jan 31, 2023 08:22 AM
    If you have ClearPass and know the devices that try to connect and should not get access, you may reject or assign a denyall role from ClearPass.

    From you description, it feels like there is information missing like the type of network, authentication/encryption, device types that should have access and those that shouldn't. Some more context may help if you didn't have your question answered.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 4.  RE: Does anyone know if we can stop cellular devices from connecting to specific SSID?

    Posted Jan 31, 2023 04:10 PM

    We are not using CPass for our internal Wireless Network authentication.

     

    We are using a separate NAC service, the same one we use for wired devices on the internal network.

     

    The issue is , much like it would be for CPass, is that they need an IP just to get to the authentication service.

     

    * We want to try and stop them at the time of connection attempt to the SSID if possible (At the controller).

     

    Something like Unable to connect to the network but only for specific devices or the opposite... only allow certain device types to connect.

     

    I purposely left out the authentication component because I want to stop them before authentication attempt occurs.

    That was where my question was directed for this forum.

     

    We are looking at numerous other options from the authentication perspective but that is not what I wart from this thread.  

     

    Thanks,

    Dave Jones 

    Network Infrastructure Architecture Specialist,

    ICNOP – BELL,

    22 Botsford St, Moncton NB E1C 4W7

    TEL (506)856-7419 Cell (506) 381-3831

    email: david.jones@bellaliant.ca 

    _______________________________________ 

     




    Original Message


  • 5.  RE: Does anyone know if we can stop cellular devices from connecting to specific SSID?

    Posted Jan 31, 2023 04:59 PM
    the only way to do this is with authentication of the device using L2 methods such as PSK or 802.1x. 

    You can't do captive portal authentication without an IP address. 

    MAC authentication also wouldn't be useful as most devices use randomised MAC addresses now so you'd have to manually blacklist devices or alternatively you could whitelist all known devices but this is a very weak security control. 



    Original Message


  • 6.  RE: Does anyone know if we can stop cellular devices from connecting to specific SSID?

    Posted Feb 01, 2023 07:49 AM

    Thank you.

     

    That is what I expected.

     

    Best Regards,

    Dave Jones 

    Sr. Technical Architect,

    ICNOP  – BELL,

    22 Botsford St, Moncton NB E1C 4W7

    TEL (506)856-7419 Cell (506) 381-3831

    email: david.jones@bellaliant.ca 

    _______________________________________ 

     

     

     

     

     

     

     




    Original Message


  • 7.  RE: Does anyone know if we can stop cellular devices from connecting to specific SSID?

    EMPLOYEE
    Posted Feb 01, 2023 04:57 AM
    Hi @djones,

    Generally authentication takes place prior to IP addressing. @scottdoorey mentions this in his response where he states "authentication of the device using L2 methods such as PSK or 802.1x"​. By this he means that the authentication takes place at Layer 2 and actually occurs prior to Layer 3. The network edge will almost always block device traffic (including DHCP) prior to a successful authentication and resulting in accepted access. With ClearPass, as an example, you could use profiling to determine that the device is a cellular device (or an unwanted device type) and build policy denying access to these types of devices so they cannot consume an IP address from your DHCP pool, and more importantly gain access to your network, if that is the goal. The device does not need an IP address to reach the authentication service in the case of network authentication mechanisms such as MAC authentication, Pre-shared key (and SAE) or 802.1X.

    Device profiling within the wireless infrastructure will possibly help you reject some devices. However Device Type Classification is not always possible, so it would not be a fail safe solution.

    Are you using controllers/gateways, Instant or APs in Central? If you could give us a little more detail it might help. Including the NAC, just in case that can be of use.



    Original Message


  • 8.  RE: Does anyone know if we can stop cellular devices from connecting to specific SSID?

    Posted Feb 01, 2023 05:19 AM
    the catch with a profiling based solution is that you would generally need DHCP traffic to do the profiling, which would in turn require an IP address to be issued.
    Original Message


  • 9.  RE: Does anyone know if we can stop cellular devices from connecting to specific SSID?

    EMPLOYEE
    Posted Feb 01, 2023 08:34 AM
    A DHCP response is not required... In the case of ClearPass profiling based on DHCP fingerprinting only the initial DHCP dicover/request is required.
    Original Message


  • 10.  RE: Does anyone know if we can stop cellular devices from connecting to specific SSID?

    Posted Feb 01, 2023 08:00 AM

    In response to this.... "and actually occurs prior to Layer 3."
    On a packet capture the controller puts the client into a logon role and provides an IP from a DHCP pool on order to send the client (with their assigned IP) authenticate 802.1x to a NAC server. So L3 is required for this function.

     

    We currently have MC and MD controllers

     

    We do have control working at that level. NAC gets device fingerprint from controller and flags the device as a cellular device and stops them from connecting to the network and actually changes their VLAN to one without an IP.

     

    Best Regards,

    Dave Jones 

    Sr. Technical Architect,

    ICNOP  – BELL,

    22 Botsford St, Moncton NB E1C 4W7

    TEL (506)856-7419 Cell (506) 381-3831

    email: david.jones@bellaliant.ca 

    _______________________________________ 

     

     

     

     

     

     

     




    Original Message