If a network admin is using group policies in Dashboard or wants to block/whitelist certain types of devices, MR access points support applying custom policies per device type on an individual SSID. This article outlines how to block, whitelist, or apply custom policies to wireless clients based on the device type.
To configure policies by device type:
- In Dashboard, navigate to Wireless > Configure > Access Control.
- Select the desired SSID from the dropdown at the top.
- Set Assign group policies by device to enabled.
- Add and set policies as desired, selecting a Device type and assigning the corresponding Group policy.
Note: To assign a policy to all devices that associate with the SSID, list all available device types and assign the corresponding policy. See the image below for an example configuration, that will block all device types from accessing the network:
The following sections outline some additional considerations to be kept in mind when assigning group policies by device type.
The access point will use the User-Agent string field of an HTTP GET request packet to determine the operating system of the client when it first associates, and allow or deny access accordingly. This can be observed in a packet capture, and may be helpful to gather for troubleshooting if a client doesn't appear to have the appropriate policy applied. In the image below, the User-Agent string shows the client is using Windows NT 6.1 as its OS. As such, any policy applied to Windows would affect this client:
Removing Applied Policies
When a client first associates to the SSID, if its device type matches one configured with a policy, the policy will be applied directly to the client's entry in Dashboard. This will cause the policy to apply automatically whenever they associate with that SSID.
To remove an automatically-assigned policy from a client, navigate to the Client Details page for that device, and change the Policy options as needed.
Note: If the SSID remains configured to apply a policy to that device type, then the policy will automatically re-apply when the client next associates to the SSID.
Note: Some clients may misidentify themselves when specifying the User-Agent string field of an HTTP GET request. Device type policy enforcement is done on a best-effort basis, dependent upon the information that the client provides. When needing to enforce security-focused policies based on device type, please leverage solutions such as Meraki Systems Manager, or Cisco ISE.