MR APs - Blocking Devices from SSID by OS Type

GJ1
Getting noticed

MR APs - Blocking Devices from SSID by OS Type

Hi,

 

We would like to prevent devices of a specific type, i.e. iPhones, from connecting to one of our networks. Having done some research, it seems that the way Meraki identifies the OS of a device is when the device makes a HTTP GET request after having connected to the network. Is there any way of applying a policy that prevents users from connecting to the network at all, or being able to hide an SSID from particular device types?

 

Thanks in advance.

 

6 Replies 6
BrechtSchamp
Kind of a big deal

I'd try to stear clear from using the device type for policies as they are known to be inaccurate at times:

https://community.meraki.com/t5/Network-Wide/In-accurate-Device-type-reported-by-Meraki/td-p/380

 

You can't hide SSIDs for specific users/devices it's all or nothing.

 

You'll be better of using other access control methods like 802.1X (WPA2-Enterprise), authentication through a captive portal, manual via the client details page, Cisco ISE, ... Which one is the best choice depends on your use case.

 

 

NolanHerring
Kind of a big deal

I've used the OS group policy stuff and while it does usually work, its not 100%. Sometimes iPhones for example don't trigger and they can connect. Sometimes I get false positives, where a MacBook laptop gets blocked because it thinks its an iPhone.

Using EAP-TLS certificate based authentication will do the trick. Only your machines that have the cert will be able to connect (machine based only auth against AD etc.) and that will prevent BYOD devices from being able to connect via user creds and they won't have the cert.

Nolan Herring | nolanwifi.com
TwitterLinkedIn
PhilipDAth
Kind of a big deal
Kind of a big deal

If you use splash page authentication then the OS fingerprinting works fine, but if you use WPA2 with a PSK or Enterprise modes then the device might not make an http request after login, and consequently per device type group policy doe snot work.

 

The best option is to use WPA2 Enterprise mode with certificate based authentication.  Then strickly only devices you put a certificate on can attach.  If you have mostly windows clients this is easier, as you can create a group policy to deploy certificates onto machines automatically.

Bruce
Kind of a big deal

Just to add to the good advice that everyone has provided below. You might also want to look at using Cisco Identity Services Engine (ISE) if you want to try and block access by device type. It is generally more robust at determining the device type and may serve your purpose well - but that said, it is obviously more $$$, which may not be wanted.

GavinMcMenemy
Building a reputation

Do you have access to RADIUS?
GJ1
Getting noticed

Hi all,

 

Thanks for the responses. We have decided to shore things up by making use of the Google authentication splash page for access to the relevant SSID. Thanks again for the replies!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels