Meraki

Community

Notification for any client being blocked?

NolanHerring
Kind of a big deal
‎Oct 30 2018 10:10 AM
‎Oct 30 2018 10:10 AM

Notification for any client being blocked?

Hi guys,

 

I have enabled 'Assign group policies by device type' to block mobile BYOD devices (iphone/android), so that they can't join when someone uses their AD credentials (they love to try).

 

This works well for the most part. However, every now and then, maybe a few times a week, an Apple Macbook Pro will be falsely detected as an iPhone, and the laptop with then automatically be placed into the BLOCKED mode and I have to change it to NORMAL so they can connect.  I only know this happens because I happen to check, or if they complain to service desk.


Until I migrate to EAP-TLS which will allow me to remove this group policy feature, I'm forced to do this. I was wondering if anyone know's of a way to get some sort of alert if a client becomes blocked (regardless if its auto or manual).

With the introduction of webhooks I thought maybe that might help, but I don't think it will. Looking at API the only option I see is 'Return the group policy that is assigned to a device in the network' but this requires I input the clients mac address, so this isn't helpful.

 

Any thoughts?

Nolan Herring | nolanwifi.com
TwitterLinkedIn
Labels:
0 Kudos
7 Replies 7
MacuserJim
A model citizen
‎Oct 30 2018 11:36 AM
‎Oct 30 2018 11:36 AM

As far as the API goes you can retrieve the clients connected to a device, which returns the MAC, you can then use those MACs to return the group policy. So if you are good with the API (it sounds like you are) you can have that all in one script.

 

I'm not sure of good way to send notifications to you though.

 

 

0 Kudos
In response to MacuserJim
BlakeRichardson
Kind of a big deal
Kind of a big deal
‎Oct 30 2018 11:52 AM
‎Oct 30 2018 11:52 AM

@NolanHerring this happens sometimes with the Dashboard incorrectly identifying a device type. What if you used tags instead of device type?

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Kudos
In response to BlakeRichardson
NolanHerring
Kind of a big deal
‎Oct 30 2018 12:12 PM
‎Oct 30 2018 12:12 PM

I don't see any option for using the TAGs, so I must be missing something. Not sure that would solve it though. I understand the false positives will happen, its not perfect. So I know I can't prevent it, but just want to take action when it does happen. I'm thinking there isn't any easy way to do this other than what I've been doing which is wait for a complaint or check it manually occasionally =( lol
Nolan Herring | nolanwifi.com
TwitterLinkedIn
0 Kudos
In response to NolanHerring
MacuserJim
A model citizen
‎Oct 30 2018 12:16 PM
‎Oct 30 2018 12:16 PM

This isn't what you are looking for, but what if you had it apply a group policy to move them to another "guest" VLAN that has internet access, but not access to company resources? That would at least allow legitimate users to do basic work, like email, log into SaaS applications, etc.

0 Kudos
In response to MacuserJim
NolanHerring
Kind of a big deal
‎Oct 30 2018 12:41 PM
‎Oct 30 2018 12:41 PM

@MacuserJim Not a bad idea, however, I don't want it to function at all because I don't want any traffic from a BYOD device using the specific WAN connections for corporate use. So blocking 100% is the only choice to ensure this.

Nolan Herring | nolanwifi.com
TwitterLinkedIn
0 Kudos
In response to NolanHerring
BlakeRichardson
Kind of a big deal
Kind of a big deal
‎Oct 30 2018 12:22 PM
‎Oct 30 2018 12:22 PM

Sorry, I misread your question. I've had a good look through the alerts section and I cannot find anything that will work. For now I would just keep doing what your doing and submit a wish. 

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 30 2018 12:39 PM
‎Oct 30 2018 12:39 PM

If someone plugs their iPhone via USB into their notebook you may also find that the notebook gets falsely detected as an iPhone, as the iPhone will use Ethernet over USB and communication via that method.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2024 Cisco Systems, Inc.