Is it possible to block a certain OS from connecting to SSID? Windows 10?

  • 1
  • Question
  • Updated 3 years ago
For SSIDs using WPA2 PSK is it somehow possible to prevent Windows 10 clients from connecting?

Mainly due to http://windows.microsoft.com/en-gb/windows-10/wi-fi-sense-faq
Photo of Jason Istre

Jason Istre

  • 8 Posts
  • 3 Reply Likes

Posted 3 years ago

  • 1
Photo of Anjanesh Babu

Anjanesh Babu

  • 68 Posts
  • 7 Reply Likes
I don't think the APs can detect OS at Layer 2 edge . Once the client is associated ; you can probably steer or block them using tools further down the line.As of writing, The current version of Hivemanager does not have Windows 10 fingerprinting included in  Objects.
(Edited)
Photo of Mike Kouri

Mike Kouri, Official Rep

  • 1030 Posts
  • 271 Reply Likes
Jason,
We can attempt to fingerprint the client OS via the specific collection of DHCP options they request at boot time and/or via the embedded user-agent in their web requests (obviously after they've booted and acquired an IP address). However, Windows10 is new enough that we have not yet determined a reliable fingerprint. 

I've looked, and don't see anything at fingerbank either.

One thing you may want to consider as an interim mitigating step, would be to use PPSKs and set them to at most one concurrent login allowed. That way, even if your users enable wifi-sense on your network, their friends still wont be able to use that private PSK (because the "owner" is using it).
Photo of Tony Schaps

Tony Schaps

  • 28 Posts
  • 8 Reply Likes
Even with that mitigating step, I can see a mess being created with these "crowd-sourced" PSK's, particularly since it's not just Windows 10 clients but also Windows 10 Mobile which will be sharing the passwords around. If you limit a PPSK to one concurrent and another promiscuous device connects first, your staffer won't be able to connect his/her primary laptop but not understand why, and some users will want two devices since they will get a Windows 10 mobile phone, and some will also get a tablet and need the "trifecta," so you'll need to have separate policies and multiply that by dozens of users, all I can say is "ugh..." - Radius, here we come... unless, of course, Aerohive beefs up the client classification capabilities soon.
(Edited)
Photo of Eastman Rivai

Eastman Rivai, Official Rep

  • 146 Posts
  • 17 Reply Likes
Work arround that may work.

OPTION 1
Run sniffer and check option 55 parameters of the Windows 10 and create an OS object based on this information.

Create classification rule on the user-profile:
Top rule: assign the customised OS object to a restrictec user-profile (a profile with no access)
bottom rule: assing any OS to a non-restricted user-profile (a profile that let you to have access)

In theory, when Windows 10 option 55 is detected it will hit the first rule and get assigned to a restricted user-profile.

OPTION 2:
Create clasification rule on the user-profile.
Top rules: assign all known OS objects (Windows, MAC, ipad/iphone/ipod, etc) to a non-restricted user-profile
Last rules: assign any OS to a restricted user-profile

In theory, if Windows 10 option 55 parameters do not match the known OS objects, it will hit the last rule and get assigend to a restricted user-profile.

I have not tried it my self, but it may work. You have to allow option 55 OS detection as well.


Thank you,

Eastman
Photo of Anjanesh Babu

Anjanesh Babu

  • 68 Posts
  • 7 Reply Likes
Regardless of every option out there, wifi passwords would still be used to get in by Windows 10 since all the filteration and analysis can only be carried out beyond layer 2 . Which is more of a limitation with current technology than Aerohive itself.


You can't filter out OS based on mac address or probes. If some future standard makes this mandatory to disclose OS and capabilities in the probe then we have a solution to block at the very edge.
(Edited)
Photo of Eastman Rivai

Eastman Rivai, Official Rep

  • 146 Posts
  • 17 Reply Likes
If you want to completely block association. With the above options you may then note the client's MAC addresses and create MAC firewall to block those windows 10. it should be easy to find  them as all of them will be in the same user profile.  You may create a search filter based on the user profile attribute.

I hope this can help
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
My Windows 10 Desktop PC is detected as a Windows 8 device so we can therefore assume that Windows 10 and Windows 8 have the same DHCP Option 55 values.
Photo of Eastman Rivai

Eastman Rivai, Official Rep

  • 146 Posts
  • 17 Reply Likes
Crowdie,

How you compared the DHCP 55 parameters of both windows 8 and windows 10? You can do packet capture in order to see it. If they are the same then you won't be able to classify windows 10. I just don't have Windows 10 machine at the moment to check.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Windows 10 gives:
Photo of Eastman Rivai

Eastman Rivai, Official Rep

  • 146 Posts
  • 17 Reply Likes
It seems to be exactly the same as Windows 8 (1,15,3,6,44,46,47,31,33,121,249,252,43). Thus, classification using DHCP option 55 cannot be achieved at this point.
(Edited)
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
I went the old fashioned way and connected a Windows 10 laptop to my lab network and looked at what the OS was detected as.  A bit old school I know but I have found the old school ways generally work pretty well :-)

Right I am off to play with my ZX81.
(Edited)