Identify and block IOS/Android from Radius network, Hive Manager NG

  • 1
  • Question
  • Updated 1 year ago
I have a network set up with AD radius auth against a Windows server. All old authentication protocols are shut down, PEAP is in use and works well. 
I would like to block devices from this network based on their operating system, but the only how-to's I found concerning this are for the old Hive Manager, not NG.
Techdocs also seem not to be up-to-date.
Can anyone point me in the right direction? A perfect solution would be to steer the iOS/Android devices into a different VLAN, but just denying the connection to this network would be fine too ^^
Photo of Tobias Protz

Tobias Protz

  • 61 Posts
  • 11 Reply Likes

Posted 1 year ago

  • 1
Photo of Nathaniel Moore

Nathaniel Moore, Employee

  • 56 Posts
  • 16 Reply Likes
Hi Tobias,

You'll need to use Assignment Rules. Screenshots below show how to access this and how to configure.

To answer your question - yes, you can segregate users by OS type and place them in different VLANs.

1. Within your SSID, scroll down to user profiles and check 'Apply a different user profile to various clients and user groups'. Then, create your sub user profiles that relate to iOS and Android users. Once done, click on the plus icon under 'Assignment Rules'. Follow the next steps for all profiles.


2. Give the rule a name. Click on the plus symbol and select 'Client OS Type'. Define your preferred OS and click 'Select'. Save your changes.




Repeat these steps for the different OS types/profiles. Remember, you can edit each user profile and assign them to different VLANs:



Lastly, remember to save everything and push an update out to your APs.

Hope this helps.

Nathaniel
Photo of Tobias Protz

Tobias Protz

  • 61 Posts
  • 11 Reply Likes
Thanks a lot,
couldn't find the OS selection before.
Unfortunately I still seem to have a bug, I defined a not-connected VLAN in the user profile for testing purposes, the client should not be able to get an IP from there (or anything for that matter).
But the client device still connects to the radius and is assigned an ip via DHCP.
Any idea where I can dig deeper into this?
Photo of Tobias Protz

Tobias Protz

  • 61 Posts
  • 11 Reply Likes
Further investigation shows that according to monitor -> clients they are all assigned the default user-profile.
If I change that to something else, moving all clients to a VLAN without an SSID, the Windows-Clients will strangely still get an IP (or maybe retain the one from previous connections - possible). All others won't get an IP anymore, even if their profiles would move them to a VLAN with DHCP (according to monitor -> clients the correct profile is not assigned, even though the OS (Android, iOS) is correctly identified).
The problem now is that apparently Linux is missing from the OS list. The Ubuntu clients are correctly identified as Debian-based Linux, but there is no rule option for them.

Edit: Is it possible that these rules have no effect on 802.1x Radius connections with an external Radius server?
Running the latest hiveOS here.
(Edited)