Hi, how do I actually prevent mobile OS like Android and IOS from joining the Wifi network? Can this be achievable via the HMOL?

  • 1
  • Question
  • Updated 5 years ago
  • Answered
  • (Edited)
Photo of Johnny Loh

Johnny Loh

  • 19 Posts
  • 0 Reply Likes

Posted 5 years ago

  • 1
Photo of Andrew Garcia

Andrew Garcia, Official Rep

  • 368 Posts
  • 120 Reply Likes
There are a few ways to accomplish this.

1) If you are using 802.1X authentication, you could restrict access only to domain member PCs by using machine authentication instead of user authentication. This way, users can't use the same name/password combo on any other device, since it is the machine that is authenticated.

2) Use client classification to steer IOS and Android devices to a different user profile. In that redirected user profile, you can a) steer clients to a VLAN that doesn't exist, b) assign a firewall policy that doesn't allow the client to go anywhere, and/or c) assign a user profile availability schedule that is never really available (make the profile available for 1 minute at some point in the middle of the night, way in the future.

OS detection is enabled by default (look in Additional Settings > Service Settings > Management Options to verify.) To redirect IOS and Android to a different user profile do the following:
- Create a new user profile that has the VLAN, firewall or schedule settings you want.



Then modify your default user profile for the SSID to redirect Android or IOS devices to your new user profile.



Then make sure to enable client classification, and push your new config to your APs.
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
I have used the "user profile with a firewall policy dropping all traffic" design but it leaves the user thinking they are connected and they can call the help desk requesting assistance.

What would be useful is an option in the client classification area to deauthenticate clients. We could then configure a client classification rule such as:

MAC Object: any
OS Object: iPod/iPhone/iPad
Device Domain Object: any
Reassigned User Profile: Deauth
Photo of Andrew Garcia

Andrew Garcia, Official Rep

  • 368 Posts
  • 120 Reply Likes
That is a good idea for a feature request, Crowdie.

At this time, we can simulate that behavior indirectly through the use of the User Profile Availability schedule. If the user profile is not available, the client is issued a deauthentication frame and the client is banned until the schedule is next available (which could be never).

See the help on user profile availability schedules here.
Photo of Johnny Loh

Johnny Loh

  • 19 Posts
  • 0 Reply Likes
Your answers have been fantastic. Thank you very much.