Client Auto-Classification
Applies To: Wi-Fi Cloud-managed Access Points (AP120, AP125, AP225W, AP320, AP322, AP325, AP327X, AP420)
Clients are classified in these categories:
- Authorized — Clients that connect via an authorized AP.
- Guest — Clients that have connected to an authorized guest SSID.
- Rogue — Clients that connect to a rogue AP within range of the monitored network. Rogue clients remain classified as rogue until deleted or manually re-categorized.
- External — Neighborhood clients that are not part of your Wi-Fi network but operate in the vicinity. External clients can be reclassified if they connect to an Authorized, Authorized Guest, or Rogue access point.
- Uncategorized — New clients discovered by Wi-Fi Cloud that have not yet been classified.
- Misbehaving — Authorized clients that connected to an external, guest, or rogue AP, ad hoc network, or performed wired/wireless bridging.
You can define the classification policy of detected wireless clients at the selected location based on initial discovery and subsequent AP associations by the client. This policy is automatically inherited by child locations of the selected location. The intrusion prevention actions enforced on wireless clients are based on these classifications.
Configure Client Auto-Classification
To configure client auto-classification, in Discover, select Configure > WIPS > Client Auto-classification.
Initial Client Classification
You can choose to classify any newly discovered client as either External, Authorized, or Guest, and then allow them to be reclassified based on their associations.
Association Based Classification
These options are based on when clients connect to Authorized, Rogue, Guest, and External APs on your network.
By default, clients are automatically classified as Authorized Clients when they connect to an Authorized AP.
You can modify these options in the Clients Connecting to Authorized Access Points section from the default settings:
- Select Reclassify External Clients as and set the value to Authorized.
- Select Reclassify Guest Clients as and set the value to Authorized.
When you first deploy WIPS, you might encounter cases where new corporate devices mistakenly connect to your Guest network or an External AP instead of an Authorized AP, and are permanently classified as Guest or External clients. To prevent this, you can reclassify the client as Authorized when it successfully connects to an Authorized AP.
These options are applied when clients connect to APs classified as Rogue.
These options are applied when clients connect to APs that broadcast authorized Guest SSIDs.
These options are applied when clients connect to APs classified as External.
These options are applied when clients that are not authorized attempt to bridge their Wi-Fi connection to the wired network.
You can enable RSSI-based client classification for uncategorized clients and/or external clients. This feature uses the signal strength of the client to determine the client classification.
RSSI-based classification is for advanced users and should only be enabled in isolated wireless environments without much neighborhood Wi-Fi activity. Note these considerations if you want to reclassify clients as rogue clients:
- RSSI-based classification can cause legitimate neighborhood clients to be classified as rogue clients and subjected to containment if automatic prevention is enabled. This can cause disruption to neighborhood Wi-Fi networks because clients classified as rogues will not be able to connect to other APs or clients when they are within your Wi-Fi network coverage.
- Low power clients or clients that are too far from the RSSI measurement point will still not get classified as rogue clients because they do not meet the RSSI threshold.
To configure RSSI Based Classification:
- Select RSSI Based Client Classification.
- Specify whether Uncategorized Clients and/or External Clients should be reclassified.
- In the classification drop-down list, select the classification to use when you reclassify clients based on the RSSI (Authorized, Guest, Rogue).
- Select the Signal Strength Threshold in dBm. Clients with a detected RSSI greater than the threshold will be reclassified. RSSI values closer to 0 indicate a stronger signal.