Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[WLC] How to block iPhone devices on controllers

0

0

Article ID: KB32759 KB Last Updated: 27 Jun 2018Version: 1.0
Summary:

This article describes the procedure for blocking iPhone devices on controllers.

Solution:

The device-detect mode is enabled by default in the controllers. To block iPhone devices on the controller, create a device-profile <Profile name> and map it to the user vlan. In this example, the user is named vlan as default.

set device-profile Block deny-session
set device-profile Block attr vlan-name default

By default, the controllers have device-fingerprint rules. We can also add customized rules to the existing device-fingerprint.

This device-fingerprint rule has to be mapped to the device-profile.

set device-fingerprint iphone device-group iphone
set device-fingerprint iphone device-profile Block

In the service-profile configuration, the device-detect mode should be set to enforce-policy. Also, device-detect-acl should be mapped to device acl.

Example configuration and session output:

set device-profile Block deny-session
set device-profile Block attr vlan-name default

set service-profile PSK-WPA2 ssid-name Jermann-psk
set service-profile PSK-WPA2 auth-fallthru last-resort
set service-profile PSK-WPA2 psk-phrase <password>
set service-profile PSK-WPA2 device-detect mode enforce-policy
set service-profile PSK-WPA2 device-detect-acl deviceacl
set service-profile PSK-WPA2 wpa-ie cipher-ccmp enable
set service-profile PSK-WPA2 wpa-ie auth-psk enable
set service-profile PSK-WPA2 wpa-ie auth-dot1x disable
set service-profile PSK-WPA2 rsn-ie auth-psk enable
set service-profile PSK-WPA2 rsn-ie auth-dot1x disable
set service-profile PSK-WPA2 wpa-ie enable
set service-profile PSK-WPA2 rsn-ie enable
set service-profile PSK-WPA2 attr vlan-name default
set service-profile PSK-WPA2 attr allowed-devices NOT:iphone

set device-fingerprint iphone device-group iphone
set device-fingerprint iphone device-profile Block


Prad-Repl# sh sessions 

1 sessions total

User Name             SessID  Type  Address              VLAN              AP/Rdo
--------------------- ------  ----- -------------------- --------------    -------
LR-Jermann-psk-34        339* open  10.9.221.218,V6      default             1/2


Since the device-fingerprint is configured on the controller, the android client was able to connect. However, it  blocked the iPhone device from connecting to the SSID. This can be seen with the following trace messages:

DOT1X May 31 13:26:45.486688 DEBUG DOT1X: FLUSH cache 0x4c3e186c for 90:fd:61:3a:45:85
DOT1X May 31 13:26:45.486723 DEBUG eapol_count_modo_sess del mac=90:fd:61:3a:45:85 from 10.9.221.233 vlan default tot_cnt=1
DOT1X May 31 13:26:45.486740 DEBUG DOT1X-SIFA: eapol_handle_unpublish:eapol_unpublish_cache_by_mac deleted record for 90:fd:61:3a:45:85 source 10.9.221.233
SM May 31 13:26:45.486756 DEBUG SM-STATE: (372) mac 90:fd:61:3a:45:85, flags 9800800020a234h, to change state AUTHORIZED -> KILLING, by sm_dot11_set_device_type
WLA May 31 13:26:45.486991 DEBUG AP 1 station: <311>May 31 21:26:46 syslog: DEBUG: DID NOT MATCH {'ios-generic' rule 1, DHCP option 0: value '12'}; {value '53,55,57,61,51,12' from boot request from 90:fd:61:3a:45:85 (method 'not contains')}; station 90:fd:61:3a:45:85 (devmark_rule_dhcpopt_bytes_trace)
WLA May 31 13:26:45.487000 DEBUG AP 1 station: <311>May 31 21:26:46 syslog: DEBUG: DID NOT MATCH {'ios-generic' rule 2, DHCP option 12: value 'iPhone'}; {value 'FranklinsiPhone' from boot request from 90:fd:61:3a:45:85 (method 'not contains')}; station 90:fd:61:3a:45:85 (devmark_rule_match_dopt_string
WLA May 31 13:26:45.487006 DEBUG AP 1 station: <311>May 31 21:26:46 syslog: DEBUG: MATCHED {'ios-generic' rule 3, DHCP option 12: value 'iPad'}; {value 'FranklinsiPhone' from boot request from 90:fd:61:3a:45:85 (method 'not contains')}; station 90:fd:61:3a:45:85 (devmark_rule_match_dopt_string)
WLA May 31 13:26:45.487015 DEBUG AP 1 station: <311>May 31 21:26:46 syslog: DEBUG: MATCHED {'ios-generic' rule 4, DHCP option 12: value 'iPod'}; {value 'FranklinsiPhone' from boot request from 90:fd:61:3a:45:85 (method 'not contains')}; station 90:fd:61:3a:45:85 (devmark_rule_match_dopt_string)
AAA May 31 13:26:45.487110 DEBUG (372) aaa_sm_notification 90:fd:61:3a:45:85 release sess lock (killing)
SM May 31 13:26:45.487281 DEBUG (372) sm_do_client_boot: 90:fd:61:3a:45:85 will be removed from AP with deauth frame and with statistics clear
SM May 31 13:26:45.487290 DEBUG SM-EVENT: forcing disassociation and de-auth of client at 90:fd:61:3a:45:85, AP 1, qp=0 with statistics clear
DOT1X May 31 13:26:45.487406 DEBUG DOT1X-CLIENT: (372) notified to DELETE last-resort at 90:fd:61:3a:45:85


Key points to remember:

  • Fingerprints are inspected in the configured order until a match is found.

  • If a more specific fingerprint is configured that must be matched, first delete the default fingerprint that can also be matched. This must be done because the first time a custom fingerprint is defined, the default fingerprint will have priority over the custom fingerprint based on configured order.

  • The default fingerprints can be restored with the command: # restore default-fingerprints. Then the custom fingerprint will have priority over the default ones.

  • If more custom fingerprints are defined after restoring the default fingerprints, be sure to delete the latter in order to give priority to the former.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search