The IoT Enforcement Screen is used to configure category-based device authentication. OmniVista monitors network packets to determine the types of devices connected to the network and interfaces with a Device Fingerprinting Service to categorize them. The IoT Enforcement feature enables you to authenticate devices by associating a Category with an Access Role Profile. Once a device accesses the network and is categorized, the assigned Access Role Profile is applied to the device. You can associate different Access Role Profiles with different categories; and you can enable automatic or manual enforcement Categories.
You can also specify exceptions for specific devices by SSID, MAC address, AP Group, or IP address. When a device matching one of these exceptions is categorized, it will not be subject to IoT enforcement configured for its category.
Important Note: There are network prerequisites and configuration steps that must be completed to enable IoT. See the IoT Overview online help for an overview of the application including prerequisites.
The Enforcement Screen lists all Default and Custom IoT Categories. IoT Enforcement is automatically enabled for all Categories by default (the Automatic Enforcement button at the top of the screen is set to "On"). However, you can manually enable/disable IoT Enforcement on specific Categories.
If necessary, set the Automatic Enforcement button at the top of the screen to "On". Assign an Access Role Profile to a Category(ies) as described below. The profile will automatically be applied to any device that matches the Category. If a Category is not assigned an Access Role Profile, there will be no IoT Enforcement for that Category.
Note: If you change Automatic Enforcement from "On" to "Off", enforcement will continue for any device on which enforcement was previously enabled, unless you manually disable enforcement for the Category used for the device, or if the device re-initializes or roams to another switch/AP. If you change Automatic Enforcement from "Off" to "On", Automatic Enforcement will only be applied to devices that connect to the network and match a configured Enforcement Category after you enable Automatic Enforcement. If you delete a Category/ARP mapping, the new mapping configuration will be applied the next time an endpoint reconnects to a switch/AP.
If Automatic Enforcement is disabled (Off), Access Role Profiles assigned to Categories are not applied to devices. However, you can manually enable IoT Enforcement for specific Categories. With the Automatic Enforcement button at the top of the screen set to "Off", select a Category(ies) and click on the Enable Enforcement button at the top of the Category List. The Enable Enforcement window will appear. Review the Categories in the Enable Enforcement column and click on OK.
Assign an Access Role Profile to a Category(ies) as described below. The Access Role Profile will be applied to any device that matches the Category.
Note: Manual Enforcement is applied to currently-connected clients only. If Automatic Enforcement is "Off", you must apply enforcement manually whenever IoT-based enforcement is desired.
Note: After enabling manual enforcement for a Category(ies), if an endpoint roams to another switch/AP or re-initializes, there will be no IoT Enforcement for that Category. You must disable Enforcement of the Category and enable it again to apply IoT enforcement manually to currently-connected endpoints.
Click on the Edit icon to the right of the Access Role Profile column to bring up the Access Role Profile drop-down menu. Click on the drop-down to bring up a list of all configured Access Role Profiles, select a profile and click OK. The assigned Access Role Profile will be displayed in the Access Role Profile column next to the Category.
You can also click on "Add New" to go to the Access Role Profile Scree and create a new profile. Once the profile is created, return to the IoT Enforcement Screen and select the new profile.
Important Note: The Access Role Profile must exist on the switches/APs connected to the endpoint devices. If you are creating a new Access Role Profile, you must first assign the profile to any applicable switch(es)AP Group(s) before assigning it to a Category in the IoT application. See the Access Role Profile online help for more information on creating and assigning Access Role Profiles.
You can change the Access Role Profile assigned to a Category at any time. Click on the Edit icon to the right of the Access Role Profile column and follow the procedure above to assign a new Access Role Profile.
You can delete an Access Role Profile assignment at any time. Click on the Delete icon to the right of the Access Role Profile column, then click OK at the Confirmation Prompt. The Category will move to the bottom of the list and will no longer have an assigned Access Role Profile. You can later assign an Access Role Profile at any time.
You can specify exceptions for specific devices by SSID, MAC address, AP Group, or IP address. When a device matching one of these exceptions is categorized, it will not be subject to IoT enforcement configured for its category. To create IoT Enforcement exceptions, click on the Exception List button at the top of the screen to bring up the Exception List Screen. Add SSID(s), MAC address(es), AP Group(s), or IP address(es) to the exception list as described below and click on the Apply button.
The Summary at the top of the Exception List displays the number of SSID(s), Endpoint MAC(s), AP Group(s), and Switch(es)/APs that have been added to the Exception List. Click on one of the items or scroll down to add/remove devices from the Exception List.
Note: If an endpoint is initially configured for Enforcement and later added to the Exception List, the endpoint can remain assigned to the Enforcement UNP because the switch/AP will cache the Enforcement UNP and reapply it to the endpoint if it reconnects. To add a device that was assigned to an Enforcement UNP to the Exception List, first remove Enforcement from the endpoint, then add it to the Exception List.
To add devices associated with an SSID to the Exception List, click on the Change Selection button to bring up the SSID Selection window. Select an SSID(s) and click on the Add button, then click on OK to add the SSID(s) to the Exception List. To remove an SSID(s) click on the Change Selection button to bring up the SSID Selection window. Select an SSID(s) and click on the Remove button, then click on OK to remove the SSID(s) from the Exception List.
To add devices by MAC address to the Exception List, input a device MAC Address and press Enter to add it to the Exception List. To remove a device, click on the "Selected Endpoint MAC(s) link to bring up the Endpoint Selection window. Select a device MAC address(es) and click on the Remove button, then click on OK to remove the devices(s) from the Exception List.
To add devices associated with APs in an AP Group to the Exception List, click on the Change Selection button to bring up the SSID Selection window. Select an SSID(s) and click on the Add button, then click on OK to add the AP Group(s) to the Exception List. To remove an AP Group(s) click on the Change Selection button to bring up the AP Group Selection window. Select an AP Group(s) and click on the Remove button, then click on OK to remove the AP Group(s) from the Exception List.
To add devices by IP address to the Exception List, click on the Change Selection button to bring up the Device Selection window. Select a device(s) and click on the Add button, then click on OK to add the device(s) to the Exception List. To remove a device(s) click on the Change Selection button to bring up the Device Selection window. Select a device(s) and click on the Remove button, then click on OK to remove the device(s) from the Exception List.