Client Reassignment for Android Clients

  • 1
  • Question
  • Updated 3 years ago
  • Answered
We use the Client Classification Policy on our corporate SSID to allow staff to use BYOD devices on the guest network. The setup is that if a domain laptop connect to this SSID and the user is validated by AD then the laptop connects to the corporate network.

If a non-laptop (iPad, Android etc) connects, and the user is validated by AD (in other words we know the person but not the device) then they get redirected to the Guest network. This saves us from having to administer staff BYOD accounts for personal use.




This has been working perfectly since installation until about two months ago. We started getting a few reports from Android users who had been working as expected not being able to connect to the Internet. The reason was that they were not being reclassified into the guest network.

Testing shows that they are remaining fully in the corporate network. We know this because if we apply the proxy settings they can go out to the Internet.

This is obviously a bit of a security risk. It is not affecting all Android users though, most are still working as expected.

My guess is that the issue is caused  by an Andoid update. Is anyone else having problems with reclassifications?
Photo of sx

sx

  • 25 Posts
  • 2 Reply Likes

Posted 4 years ago

  • 1
Photo of Brian Ambler

Brian Ambler

  • 245 Posts
  • 126 Reply Likes
Hi sx,

I have not heard of certain Android devices not being redirected through Client Classification, but I was happy to set up a quick test at home. I can confirm that my Galaxy S4 is redirected to the Guest VLAN as expected on my AP230. Hopefully some others on this community can chime in with additional devices and whether or not they are functioning normally.
Photo of Brian Ambler

Brian Ambler

  • 245 Posts
  • 126 Reply Likes
Actually, here are some screencaps just to make sure







Photo of sx

sx

  • 25 Posts
  • 2 Reply Likes

Thaks for the feedback. Here is what I am seeing.

 The first Android stays in User Profile Attribute 300 and VLAN 300. The other devices change profile, and change VLAN. (The laptop with the 307 profile is at a different site.)

 

Photo of Eastman Rivai

Eastman Rivai, Official Rep

  • 146 Posts
  • 17 Reply Likes
sx,

Can you try to create an new OS object for the android device? you will need to sniff the DHCP packet first to see the option 55 parameter request lists. This is the example of iPhone 3GS http://prntscr.com/3zdjwj. Put this information on the OS object parameter request list http://prntscr.com/3zdlnz. You can then add this OS object into the client classification policy http://prntscr.com/3zdm8h.

I assumed that DHCP option 55 detection had been enabled http://prntscr.com/3zdqly.

I hope this helps.

Eastman

Photo of MST

MST

  • 152 Posts
  • 3 Reply Likes
Thanks for the reply, I need to use each one separately, so I need:

1 for IPAD

2. for iPhone,

3. iPod

my understanding is to create HTTP detection for each one - right?  here is my current IPAD object in OS OBJECTS:



Photo of Eastman Rivai

Eastman Rivai, Official Rep

  • 146 Posts
  • 17 Reply Likes
You need to create a DHCP option 55 for each device. HTTP option only takes impact after you have your layer3 connection which is not the case for 802.1x. The client will need to be assigned to a desired VLAN during DHCP process. You can run packet sniffer in order to see the parameters of the DHCP option 55. Then you will need to create a new one under "Client Operating Systems Determined by DHCP ....". Ensure that DHCP detection is also enabled.
Photo of MST

MST

  • 152 Posts
  • 3 Reply Likes
Regarding DHCP option I think it is already enabled in my network policy: 



so now I start creating DHCP options for each one, let know when I am done, Thank You
Photo of MST

MST

  • 152 Posts
  • 3 Reply Likes
I could not remove my current iPad os detection rule so I created iPad2 with DHCP option 55:


is that right?
Photo of MST

MST

  • 152 Posts
  • 3 Reply Likes
I see my only option is to know option 55 Parameter Request List for each ipad and iphone and put them separate. I guess those parameters are not identical.