client classification policy does not recognize ipad iphone and MAC OS (laptop)

  • 2
  • Question
  • Updated 3 years ago
Looks like client classification policy for iphone and mac os or ipad does not recognize and place all devices into one default vlan. Aerohive Support confirmed:

"So, I got the word from Tier2 that Apple updated their iOS and the difference cannot be seen between ipad and Mac. All Apple devices are now showing as Mac clients. "
Photo of MST

MST

  • 152 Posts
  • 3 Reply Likes

Posted 3 years ago

  • 2
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
I assume that they've unified things so that the DHCP fingerprint matches therefore?

I'll get some packet captures and take a look when I get some time to see exactly what's going on.

Classification via the HTTP user agent in Web browsers should be able to tell the difference between iOS and OS X.

Is this a particular problem for you?
(Edited)
Photo of MST

MST

  • 152 Posts
  • 3 Reply Likes
No this is not a problem for me if I get iphone ,ipad, and MAC OS clasified properly and placed into different VLANs. Here are screenshots to make sure I get it in proper way:




Here is example of my IPAD2 OS for DHCP Option 55.


Here is teachers User profile that include all client classification policy so IPAD2 should be assigned to 25 VLAN and MACOS to 180 but when I use ipads and laptops all go to the 25 vlan which in on the top of classification (1) rule. 



OS detection has both DHCP and HTTP detection enabled.

Authentication is based on 802.1x radius external NPS but I think that does not matter for this issue. 

Thanks,
Photo of MST

MST

  • 152 Posts
  • 3 Reply Likes
just confirmed with aerohive engineer that client classification for ipad / iphone /ipod with 6.6r1 is in dead end and not working currently for both HTTP and Option 55 since all devices are treated as iphone os system. Apple changed their OS  but that makes my life harder since it would be nice to put cell hones and ipads to separate vlans. 

I use NPS radius for users. Is there any way block students from using iphones and allow them to use ipads only? 
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
You would use something like Windows Certificates services, a role in Windows Server, to provide the backend CA infrastructure to issue individual digital certificates to clients.
(You will want to use 2048-bit RSA with SHA-256 [SHA-2 family].)

Just to be clear, is not the digital certificate that you present to clients from NPS so that they can trust the server when performing TLS-based EAP authentication.

NPS does not distribute client digital certificates or configuration to clients. That is outside of its scope. It is, however, responsible for validating client digital certificates in conjunction with SCHANNEL, the Windows TLS implementation, with authentication methods like EAP-PEAP with an inner-EAP of EAP-TLS.

You use the digital certificate presented, a credential for a directory account, to map the client to a hypothetical 'iPad' / 'iPhone' security groups as you see fit. You can then decide what to do based on what you want from a policy perspective.

You are ensuring that only the device type you want to connect has credentials to connect.

MobileConfigs are the means to configure Apple devices. There is a lot of information on the Web about this. Take a look at what the Apple Configurator offers in this area, for example.

Client on-boarding solutions are available to help with all this if you find it to manually involved, but they're not cheap.
(Edited)
Photo of MST

MST

  • 152 Posts
  • 3 Reply Likes
Thank You Nick, so I need new server set up as " Windows Certificates services, a role in Windows Server" or I can use existing NPS server for that purpose. 
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
You can certainly add that role to the same server that runs NPS. Being independent, they don't fight with each other.
Photo of MST

MST

  • 152 Posts
  • 3 Reply Likes
I believe Windows Certificates services is referring Active Directory Certificate Services 
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Yes, definitely. It was shorthand for saying Active Directory Certificate Services in Windows Server. Sorry if that was confusing! :P
(Edited)