AP121 - Client Classification Policy

  • 1
  • Question
  • Updated 5 years ago
  • Answered
Hi all,
I recently bought AP121 and was playing around. one thing that interested is client classification policy which with a single SSID, i can assign a particular profile to an user's device.

I want to know how does device domain object work...What i want to achieve is that if my user's laptop are joined to our domain, it can access everywhere whereas a phone or laptop which is not part of our domain,it can only access Internet.

Please advise thanks
Photo of Tony Ying

Tony Ying

  • 4 Posts
  • 0 Reply Likes

Posted 5 years ago

  • 1
Photo of Andrew Garcia

Andrew Garcia, Official Rep

  • 368 Posts
  • 120 Reply Likes
Are you using 802.1X for authentication? The best way to achieve what you are looking for is to configure your domain-joined laptops to use machine authentication with a RADIUS policy mapped to the OU where your computer accounts are stored in AD.

Meanwhile, your phones, tablets, and BYOD laptops would use user authentication, and the user profile associated with these devices would have an Internet-only firewall applied.
Photo of Tony Ying

Tony Ying

  • 4 Posts
  • 0 Reply Likes
No i am using WPA/WPA2 PSK (Personal) for authentication.

Can you tell me more about device domain object on the client Classification Policy?
Photo of Andrew Garcia

Andrew Garcia, Official Rep

  • 368 Posts
  • 120 Reply Likes
The device domain object for client classification also relies on 802.1X, so it won't do anything with an SSID secured by PSK. For SSIDs secured with 802.1X/EAP, the AP looks at the user identity string in the RADIUS authentication request to determine whether the domain name is in the string.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Of course, this is awfully bad practice and conceptually completely broken and security vulnerable to identity spoofing and should not be used.

That is the case if and until Aerohive implement support for using the User-Name AVP in an Access-Accept as being authoritative. (It would also require a RADIUS infrastructure capable of returning the inner identity, hopefully normalised.)
Photo of Tony Ying

Tony Ying

  • 4 Posts
  • 0 Reply Likes
Thanks Andrew.

One more question. Under configuration -> Configure Interface & User Access, there is a VLAN setting.

MGT VLAN is refering to the AP?

Native VLAN is referring to ???
Photo of Andrew Garcia

Andrew Garcia, Official Rep

  • 368 Posts
  • 120 Reply Likes
Both the Management VLAN and the Native VLAN are defined at the network Policy level.

The Native VLAN is the untagged VLAN for your network, by default set to VLAN 1. If frames coming from the AP don't have an 802.1Q tag, this where they will go.

The Management VLAN is the VLAN used for management traffic by the AP - to talk to HiveManager for management traffic, and for APs to pass control traffic amongst themselves. The Management VLAN by default is also set to 1.

Each of these values can be changed at the network policy level, or overridden on a per-AP basis as well.
Photo of Tony Ying

Tony Ying

  • 4 Posts
  • 0 Reply Likes
so if i have two SSID with two different VLAN under one network policy

for eg, SSID A is Vlan 2 and SSID B is VLAN 4

default Management and native is VLAN 1

how do i configure for Management VLAN and native VLAN?Do i leave them as default?
Photo of Andrew Garcia

Andrew Garcia, Official Rep

  • 368 Posts
  • 120 Reply Likes
It depends on how your network is configured. VLAN 1 is probably the right setting for both native and management VLAN, but some people do have different settings.

To ensure your wireless VLANs work, make sure you set up the switch ports to which you connect your APs are configured as VLAN trunk ports - with native VLAN 1 and tagged for VLAN 2 and VLAN 4.