Client Classification Policy - IOS and Non-Domain Joined

  • 1
  • Question
  • Updated 4 years ago
  • Answered
I have 2 SSID's, one for Corp and one for Guests. The Corp is 802.1X using Aerohive's built in RADIUS. While I want corporate user's to use the Corp SSID, I want to restrict iOS, Android, non-domain joined PC's from having internal access.

I've set the Client Classification Policy on my Corp SSID, but I had a question on creating the "Internet_Only" User Profile. It's created, but is there any settings in it I need to set so that it doesn't get internal access? Which default VLAN should it be? The Corp VLAN or the Guest VLAN?
Photo of Brad Rabinowitz

Brad Rabinowitz

  • 2 Posts
  • 0 Reply Likes

Posted 4 years ago

  • 1
Photo of Sam

Sam

  • 120 Posts
  • 31 Reply Likes
I would recommend placing your "Internet_Only" user profile in your "Guest VLAN" However, with our firewall at the edge it doesn't really matter.

The next step would be to expand the Firewalls section of the User Profile, and set the TO field to "Guest-Internet-Access-Only" with the default action to Permit.

This will only allow traffic to the internet and blocks access to the 10.x, 172.x and 192.168.x subnets.

(Edited)
Photo of Brad Rabinowitz

Brad Rabinowitz

  • 2 Posts
  • 0 Reply Likes
So after further testing, it appears that non-domain based computers can still easily access domain resources by entering their credentials in the format of domain\username when clicking on a domain resource. Am I missing something, because it seems this should not be the expected behavior.
Photo of Sam

Sam

  • 120 Posts
  • 31 Reply Likes
Hi Brad,

Are you still experiencing the issue?

Can you provide your VHM ID (help>about) ? What method are users using to attempt to access the internal resources?  \\ipaddr\share ? 

Thanks.