Meraki

Community

MR APs - Blocking Devices from SSID by OS Type

GJ1
Getting noticed
‎Jan 9 2019 2:55 AM
‎Jan 9 2019 2:55 AM

MR APs - Blocking Devices from SSID by OS Type

Hi,

 

We would like to prevent devices of a specific type, i.e. iPhones, from connecting to one of our networks. Having done some research, it seems that the way Meraki identifies the OS of a device is when the device makes a HTTP GET request after having connected to the network. Is there any way of applying a policy that prevents users from connecting to the network at all, or being able to hide an SSID from particular device types?

 

Thanks in advance.

 

0 Kudos
6 Replies 6
BrechtSchamp
Kind of a big deal
‎Jan 9 2019 5:47 AM
‎Jan 9 2019 5:47 AM

I'd try to stear clear from using the device type for policies as they are known to be inaccurate at times:

https://community.meraki.com/t5/Network-Wide/In-accurate-Device-type-reported-by-Meraki/td-p/380

 

You can't hide SSIDs for specific users/devices it's all or nothing.

 

You'll be better of using other access control methods like 802.1X (WPA2-Enterprise), authentication through a captive portal, manual via the client details page, Cisco ISE, ... Which one is the best choice depends on your use case.

 

 

In response to BrechtSchamp
NolanHerring
Kind of a big deal
‎Jan 9 2019 7:23 AM
‎Jan 9 2019 7:23 AM

I've used the OS group policy stuff and while it does usually work, its not 100%. Sometimes iPhones for example don't trigger and they can connect. Sometimes I get false positives, where a MacBook laptop gets blocked because it thinks its an iPhone.

Using EAP-TLS certificate based authentication will do the trick. Only your machines that have the cert will be able to connect (machine based only auth against AD etc.) and that will prevent BYOD devices from being able to connect via user creds and they won't have the cert.

Nolan Herring | nolanwifi.com
TwitterLinkedIn
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jan 9 2019 11:11 AM
‎Jan 9 2019 11:11 AM

If you use splash page authentication then the OS fingerprinting works fine, but if you use WPA2 with a PSK or Enterprise modes then the device might not make an http request after login, and consequently per device type group policy doe snot work.

 

The best option is to use WPA2 Enterprise mode with certificate based authentication.  Then strickly only devices you put a certificate on can attach.  If you have mostly windows clients this is easier, as you can create a group policy to deploy certificates onto machines automatically.

0 Kudos
In response to PhilipDAth
Bruce
Kind of a big deal
‎Jan 9 2019 2:11 PM
‎Jan 9 2019 2:11 PM

Just to add to the good advice that everyone has provided below. You might also want to look at using Cisco Identity Services Engine (ISE) if you want to try and block access by device type. It is generally more robust at determining the device type and may serve your purpose well - but that said, it is obviously more $$$, which may not be wanted.

0 Kudos
GavinMcMenemy
Building a reputation
‎Jan 10 2019 4:22 AM
‎Jan 10 2019 4:22 AM

Do you have access to RADIUS?
0 Kudos
GJ1
Getting noticed
‎Jan 15 2019 5:55 AM
‎Jan 15 2019 5:55 AM

Hi all,

 

Thanks for the responses. We have decided to shore things up by making use of the Google authentication splash page for access to the relevant SSID. Thanks again for the replies!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.