Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
926
Views
0
Helpful
2
Replies

OS based authorization over Wireless

patrick.kofler
Level 1
Level 1

‎01-14-2011 04:12 AM - edited ‎07-03-2021 07:40 PM

Hi there,

in our company we are currently in the process of setting up a new project which aims to have users access to certain services based on the hardware client and corresponding operating system they use. Those services will be provided over Citrix and connection to Wireless over one SSID.
One example would be a user A comes into the office and connects with his iPad to SSID "1234" and afterwards starts the Citrix app which provides him access to Mail and Remote Desktop connection to a terminal server.
User B also connects to SSID "1234" but he uses a device with Android OS and thus will have different services available than user A.
This process should be as less cumbersome for the user as possible.

One idea we thought about was to use dynamic VLAN assignment, but I could not find a RADIUS attribute, which accounts for identifying the operating system let alone this attribute would have been even supported.
This way we could have identified the user by the source IP when the request arrives at the Citrix server farm.

Another idea that came to my mind would be to use the web passthrough feature of the WLC which redirects the user upon connection to an external web server, which in turn could identify the client via the user agent and pass this information along, but so far I couldn't get it to work.
I first tried to test it, by overriding the global config of web-auth within the WLAN Layer 3 Security Tab (the global one is used for a different use) and selected "Re-direct to external server" which points to a html site with an embedded PHP script for Browser and OS detection. Problem is, the page doesn't pop up, after succesfully connecting to the WLAN.


Do you think that would be a good approach or does anybody of you have a much more feasible idea?

Thanks in advance!

Labels:
0 Helpful
2 Replies 2

Nicolas Darchis
Cisco Employee
Cisco Employee

‎01-14-2011 05:55 AM

You should look in the NAC Profiler possibility. It does precisely what you are looking for. It's not free though 🙂

On the "free" side, I can't see any trick that would work though.

I think (but not sure on this one) that a simple HTML GET already contains the client browser info doesn't it ?

I don't think PHP is supported as web authentication page.

Nicolas

0 Helpful

Federico Ziliotto
Cisco Employee
Cisco Employee

‎01-14-2011 06:01 AM

Hi Patrick,

Authorizing users based on their OS is something usually achieved through an agent installed on the user machines, which can inform the authentication server about what kind of OS those machines are having.

I guess the same principle would need to apply even with an external web authentication server: we need something on the client that tells us which OS is running.

A good option to achieve what you described is through by integrating the wireless deployment with the NAC solution:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/product_data_sheet0900aecd802da1b5.html

Users would need to either install the NAC Agent or to use the NAC Web Agent through the web browser.

These are usually not supported on Android OS or Apple's iOS for example, but in such a case you could simply keep those users on kind of a quarantine vlan.

Regards,

Fede

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card