NG User Profile Assignment and Missing Operators

  • 1
  • Question
  • Updated 1 year ago
Maybe someone knows a better way....

I have a Windows group that should be allowed on WiFi, but NOT with their mobile devices. My initial response was to assign the group an attribute number, and create an assignment with that, as well as OS types, and knock it off to a dead VLAN so they can't get an IP address. 

Problem is, the profile assignment works with an "OR" operator, with no option for "AND", so everyone with a mobile device got booted off, not just the one with the RADIUS attribute AND the mobile device.

Anybody got a better way around this other than creating a whole new SSID just for Windows group?
Photo of Jeremy Stewart

Jeremy Stewart

  • 47 Posts
  • 0 Reply Likes

Posted 1 year ago

  • 1
Photo of Jeremy Stewart

Jeremy Stewart

  • 47 Posts
  • 0 Reply Likes
What is missing is there is no "client classification policy" inside the user profile as Hive6 had. 
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
The easiest way to ensure only domain devices can connect (I am assuming this is what you are trying to achieve) is to configure NPS (or your favourite RADIUS sever) for PEAP MSCHAPv2 (this way you don't need client certificates) and configure RADIUS to check against a computer security group (or just domain computers if you want to allow all domain joined computers).  When the computer boots it will machine authenticate before the CTRL+ALT+DEL screen appears and the domain handles the user authentication.
Photo of Jeremy Stewart

Jeremy Stewart

  • 47 Posts
  • 0 Reply Likes
No problems with RADIUS here. The issue is keeping mobile devices off the network for one specific Windows group. Hive6 used to let me break that group out into a user profile, just as I can with NG, but then further add a device classification policy within the user profile. NG cannot do this.
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
OK so I have the requirement as:

1.  Allow access to members of xxxxxx AD security group.
2. If the device connected via rule #1 is running OS yyyy then move it to user profile zzzz.

Does that sound correct?

HM NG does not currently support client classification via a user profile and it doesn't really work anymore with HM6 either.  The reason for this is that Apple has made the DHCP Option 55 responses from all their devices (iOS and OS X) identical so you can't tell them apart.  Not an issue of you also want to restrict OS X access but if you don't.... 
(Edited)
Photo of Jeremy Stewart

Jeremy Stewart

  • 47 Posts
  • 0 Reply Likes
Those are the requirements, and it's worked great with HM6 as long as you don't rely on Aerohive to be on the ball with Option 55... I use Fingerbank and do it myself.