We’ve recently enabled a similar open network & allowed gaming & home a/v devices on w/o the need for registration or additional configuration.
To do this, we’re using Aruba HPE ClearPass. It handles ALMOST all of the categorizing & classification from DHCP Fingerprints and other voodoo black magic between itself & our Aruba controllers. I emphasized almost, because we had to be pretty tuned into what it fails to classify & make specific exceptions / roles to allow some un-categorized devices like Roku TVs, Amazon TAP & Fire Sticks. These exceptions could be seen as security holes so we locked down this new open network even more so than usual - NAT’ed, no access to internal resources, different IP space, several common ports restricted. We’ve yet to hear of any complaints from gamers or streamers alike, but we’ll have to investigate once we do. Our role assignment does a few things… 1) If categorized as Home AV or Game Console = ALLOW 2) If categorized as one of our 3 exceptions = ALLOW 3) If Computer = JAILED - Captive Portal telling user to use our Secure 802.1x network 4) If MAC Registered = ALLOW 5) If Smart Device = JAILED - Captive Portal telling user to use our Secure 802.1x network 6) Else, DENIED = JAILED - Captive Portal asking user to get in touch with us. We did this after doing a similar change at another school we provide service for. Except there, we didn’t create a new network, we used the existing WEP keyed network & skipped checking MAC Registration for categorized devices. Users still need to configure their device for WEP, but they now no longer have to register them. The most impressive device we ran into was the Fire Stick - it displayed a Captive Portal natively on the device. Best of luck, --Raf From: The EDUCAUSE Wireless Issues Constituent Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of "Cappalli, Tim (Aruba Security)" <t...@hpe.com> Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Date: Tuesday, April 11, 2017 at 8:41 AM To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Amazon echo & Google home Echo supports captive portal via the phone used for setup. How is the NAC detecting them? DHCP fingerprinting? Registration? From: The EDUCAUSE Wireless Issues Constituent Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of "Entwistle, Bruce" <bruce_entwis...@redlands.edu> Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Date: Monday, April 10, 2017 at 5:13 PM To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: [WIRELESS-LAN] Amazon echo & Google home We are currently using our NAC on a unsecured network to detect gaming devices and allowing the appropriate devices to connect, then directing other devices to our 802.1x network. However this solution is currently not available for the Amazon echo and Google home devices. I was looking to the group to see how others are providing a wireless connection for these devices. Thank you Bruce Entwistle Network Manager University of Redlands ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.