Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
IronMan
New Contributor III

How to block mobile phones from connecting to WiFi?

I've blocked many mobile phones from connecting to our wifi via MAC blocking at the DHCP advanced options on Fortigate. But the problem is most of these phones have MAC randomisation turned on, so the next day they're back on my Wifi again.

 

Is there any other way to block these devices, other that using a whitelist option?

Is there a way to block by hostname? or any other identifier?

7 REPLIES 7
Muhammad_Haiqal

Hi @IronMan ,

Please take a look at this article: https://docs.fortinet.com/document/fortigate/6.2.13/cookbook/103514/device-inventory

 

Please let me know if you have questions.

haiqal
IronMan

The article just mentions about detecting devices hostname, OS, IP, etc.

But the only way to block a device is still only by MAC address.

 

 

Muhammad_Haiqal

Hi @IronMan ,

This KB might help:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Usage-of-application-control-to-block-Mobi...

I know your requirement can be achieve. I have done previously and its working.

It may depend on the firmware version too.

haiqal
IronMan

Hmm... I got it to work but I cannot block all Androids just like that as we have some machines running on Android that still need to access the network.

 

Is there a way to block it on other levels? Maybe by Android version? But I feel blocking by Hostname would be a lot safer and easier. Anyway to do that?

flamer
New Contributor II

How random are the random macs? if the first few octets remain the same you can use a wildcard match in the mac address field. Usually first 6 digits are the vendor code that may not change even when randomising. 

 

Sounds like the problem could be solved differently though, if these devices shouldn't be on the network how are they allowed to authenticate, if its a known shared psk, then perhaps look at using ppsk, or what about using radius so they need to login with AD credentials. 

IronMan
New Contributor III

The MAC address is totally different each time. We're a somewhat small office, without any AD. Devices currently connect to WiFI via a single password.  We have 4 consumer grade access points of varying brands. I doubt they have PPSK option. I'm trying to do this without additional costs.

 

Seems like a simple solution, but it's difficult.

 

Is there no way to block them via hostname? Some articles mention about hostname but don't mention how.

adambomb1219
SuperUser
SuperUser

You should really use a NAC appliance for this (FortiNAC, Cisco ISE, Aruba ClearPass, etc.)

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors