On 6/4/2012 6:40 AM, Francois Gaudreault wrote: > Hi Barry, > >> What I want to do is prevent mobile devices like >> blackberries,iphone/ipad etc from even being able to connect to the >> wireless access point. I don't want them sitting in the registration or >> the guest vlans. I can move them to the isolation vlan, but I would >> just prefer that they just aren't allowed to connect.... >> Is that even possible? > Yes. Create a violation for those devices, and as the target vlan, use > for example customVlan5. In your switches.conf, put -1 in the > customVlan5 and you should be all set. > > Thanks. > The one thing that your suggestion doesn't prevent is the device association with the access point. It will move the device into the ether but not until after the device has gone through authentication ( mac auth in this case ) on the open ssid, on the access point. I just don't even want the device to associate. I can do it with an association ACL on the access point, but I would like to manage it all in one place. If I could tie a violation to the radius auth so that when you see "handling radius autz request: from switch_ip" it would send a auth reject message instead of an accept message, there by preventing the device from associating. Obviously this would only work with violations based on VENDORMAC.
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
