Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
IronMan
New Contributor III

How to block mobile phones from connecting to WiFi?

I've blocked many mobile phones from connecting to our wifi via MAC blocking at the DHCP advanced options on Fortigate. But the problem is most of these phones have MAC randomisation turned on, so the next day they're back on my Wifi again.

 

Is there any other way to block these devices, other that using a whitelist option?

Is there a way to block by hostname? or any other identifier?

10 REPLIES 10
Muhammad_Haiqal

Hi @IronMan ,

Please take a look at this article: https://docs.fortinet.com/document/fortigate/6.2.13/cookbook/103514/device-inventory

 

Please let me know if you have questions.

haiqal
IronMan

The article just mentions about detecting devices hostname, OS, IP, etc.

But the only way to block a device is still only by MAC address.

 

 

Muhammad_Haiqal

Hi @IronMan ,

This KB might help:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Usage-of-application-control-to-block-Mobi...

I know your requirement can be achieve. I have done previously and its working.

It may depend on the firmware version too.

haiqal
IronMan

Hmm... I got it to work but I cannot block all Androids just like that as we have some machines running on Android that still need to access the network.

 

Is there a way to block it on other levels? Maybe by Android version? But I feel blocking by Hostname would be a lot safer and easier. Anyway to do that?

flamer
New Contributor II

How random are the random macs? if the first few octets remain the same you can use a wildcard match in the mac address field. Usually first 6 digits are the vendor code that may not change even when randomising. 

 

Sounds like the problem could be solved differently though, if these devices shouldn't be on the network how are they allowed to authenticate, if its a known shared psk, then perhaps look at using ppsk, or what about using radius so they need to login with AD credentials. 

IronMan
New Contributor III

The MAC address is totally different each time. We're a somewhat small office, without any AD. Devices currently connect to WiFI via a single password.  We have 4 consumer grade access points of varying brands. I doubt they have PPSK option. I'm trying to do this without additional costs.

 

Seems like a simple solution, but it's difficult.

 

Is there no way to block them via hostname? Some articles mention about hostname but don't mention how.

adambomb1219
SuperUser
SuperUser

You should really use a NAC appliance for this (FortiNAC, Cisco ISE, Aruba ClearPass, etc.)

mcveyroosevelt219
New Contributor

You can disable MAC address randomization on the devices or use a more persistent identification method like IP address or DNS filtering. Since MAC randomization bypasses MAC filtering, another approach is to implement radius-based authentication (802.1X), which requires users to authenticate via credentials. Alternatively, blocking by hostname can be attempted if the devices consistently use the same hostname, but this is less reliable. You could also consider using deep packet inspection or a network access control system to detect and block unauthorized devices based on patterns or behavior.

potassu2
New Contributor

But your original problem may be that I found some cell phone will change their MAC address everytime they connect, you can disable this setting in each device if its an option, my android does this as did my sons iPhone. This is why I dont let new connections from connecting, it will block their new MAC cause its a new device. Its called Randomize MAC address

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors