Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Leswan
New Contributor

Prevent students from using both computer, phone and tablet at the same time

Hey,

I'm trying to limit my students from using all of their devices on the school's wifi network at the same time.

 

I've changed policy-auth-concurrent to 1 (https://kb.fortinet.com/kb/documentLink.do?externalID=FD33675) in hope that this would help I use WPA2 enterprise for the SSID and I use the local FortiGate user database for authentication. I log on just fine, but it still lets me log on with both computer, phone etc. at the same time

 

My question is: Is policy-auth-concurrent the command to use for this or am I all wrong? Anyone know what I could be missing or if there are other commands more suitable for my problem

It used to be a simple task with my old Untangle firewall, but seems a bit more complicated here ;-) Sincerely Leswan

2 REPLIES 2
xsilver_FTNT
Staff
Staff

Hi,

auth-concurrent should work. Make sure you haven't overridden those via auth-concurrent on per user or per group level with unlimited setting. Or on the other hand try to override global setting on per user level basis, as per user setting does have precedence over global setting (as it is more specific).

 

If you want to let them login from authorized devices only, then, besides of implementation of some serious NAC (Network Access Controller), you can also ...

1.

control access on IP level. Only specific IPs from workstations allowed. IPs set statically, no automatic IP assignment to new devices. Weak as one can set his own static IP.

 

2.

MAC based .. IPs assigned semi-statically by DHCP which will assign IP just to reserved MAC addresses.

Need to enroll MAC addresses to DHCP reservation. Small list can be maintained even by FortiGate. Bigger deployments should use separate DHCP server. IP per MAC assignment is old but still good trick.

Stronger as it's harder to get your MAC enrolled in, weak against misuse and setting IP from expected pool statically.

 

3.

802.1x port based authentication. Could be for example even EAP-TLS for wired or wifi. Certs and PKI involved and so cert enrollment for users/computers needed. For example FortiAuthenticator, if in place, can let users self-enroll their own device certificates but for set amount of devices, like 1 device only, to limit and have some control over BYOD scenario.

Enrollment can be controlled or even mandate admin approval.

That's more complex scenario and more secure from my point of view.

 

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

Leswan

Thanks for the answer and all the extra options. I got it to work with Captive Portal. I will try to set up a RADIUS server at some point and see if I can get it to work with that instead.

Labels
Top Kudoed Authors