PPSK and client classification not working

  • 1
  • Question
  • Updated 3 years ago
Added a new SSID for PPSK, created local user groups and local users, they authenticate and work fine. I enabled client classification to put our Macs on primary VLAN and other devices on a guest VLAN, but it seems to completely ignore that, all devices are going on our primary VLAN. "Enable user profile reassignment based on client classification rules" is check-marked under the user profile-> Optional Settings-> Client Classification policy, and I'm just using "OS Object" for the classification (others set to [-any-]), and all available OS Objects (other than MacOS) are configured to reassign to the Guest User profile on a different VLAN. HMOL Enterprise 6.4r1. The same Guest User Profile works fine on a different Guest SSID; it puts users on the Guest VLAN just fine. Have all AP330 running HiveOS 6.4r1a.2103.
Getting frustrated, as it all appears that it should work. I am waiting for our network engineer consultant to have time to look at it. Anyone with any suggestions, thanks in advance. :)
Photo of Tony Schaps

Tony Schaps

  • 28 Posts
  • 8 Reply Likes
  • confused, frustrated

Posted 3 years ago

  • 1
Photo of Andrew Garcia

Andrew Garcia, Official Rep

  • 368 Posts
  • 120 Reply Likes
Make sure you enable this setting too.

Photo of Tony Schaps

Tony Schaps

  • 28 Posts
  • 8 Reply Likes
Yep, I have had that check-marked all along, so the problem must be something else.

The PPSK staff user group members get "User" profile and go on VLAN 100. Devices detected in the client classification are supposed to be moved to the Guest profile with VLAN 999. 

Photo of Andrew Garcia

Andrew Garcia, Official Rep

  • 368 Posts
  • 120 Reply Likes
Check your PPSK Local User Group.  Do not define a VLAN in there.

OK, some recommendations.

- Don't use the default-profile(0) ever.  That is there to be cloned, not used in a policy.  For the purposes of this SSID, you could set the Guest user profile as the Default.

- Check your PPSK Local User Group.  Do not define a VLAN in there.  Match the Attribute number to the Guest User Profile.  

- In the Guest User Profile, set up the client classification rule so MacOS gets redirected to the User-Int (100) user profile.
Photo of David Coleman

David Coleman, Official Rep

  • 209 Posts
  • 164 Reply Likes
Do you have this check-box checked as well?

Photo of Andrew Garcia

Andrew Garcia, Official Rep

  • 368 Posts
  • 120 Reply Likes
Slow, man.  Slow.
Photo of Andrew Garcia

Andrew Garcia, Official Rep

  • 368 Posts
  • 120 Reply Likes
Just as a tip, another way to about this is to create a second PPSK User Group.  Put the Mac OS keys in one group and the other OS keys in a second group, and use the User profile attributes values to map to a different user profile.  That way, you don't need to rely on the OS detection engine to create the groups you want.

So,

PPSK Group 1 - OTHEROS
User Profile ID = 10
Maps to User Profile = DefaultUsers (user attribute value 10)
set this user profile as Default.

PPSK Group 2 - MacDevices
USer Profile ID = 20
Maps to User Profile = Macs (user attribute value 20)
set this user profile under Authentication.
 
Photo of Tony Schaps

Tony Schaps

  • 28 Posts
  • 8 Reply Likes
We have about 100 trusted users in this office, thus far using one shared WPA2 key for both their company Macs and personal devices. I'm new and intent on instituting this change quickly as a first step on the way to something better, reduce the devices in the broadcast domain, and yet I don't want to create too much admin work to do it. I want to issue just one PPSK per user which allows up to three connections and let them put them in the devices, then deactivate the legacy SSID and get on to other business and plan the next step in a few months. If I have to issue them all two, that's double the work, more work to explain it, and more work to fix the inevitable devices using the wrong PPSK and getting on the wrong subnet. 
Client classification works for others, what can I do to troubleshoot this?
(Edited)
Photo of Steven Bateman

Steven Bateman

  • 65 Posts
  • 12 Reply Likes
Just to follow up on this as I'm working with Tony on this network...

Turns out we had a static VLAN assigned in the user groups and we had a mismatched user profile attribute between user groups and the policy. Recreating per Andrew's instructions took care of it.