I've blocked many mobile phones from connecting to our wifi via MAC blocking at the DHCP advanced options on Fortigate. But the problem is most of these phones have MAC randomisation turned on, so the next day they're back on my Wifi again.
Is there any other way to block these devices, other that using a whitelist option?
Is there a way to block by hostname? or any other identifier?
Hi @IronMan ,
Please take a look at this article: https://docs.fortinet.com/document/fortigate/6.2.13/cookbook/103514/device-inventory
Please let me know if you have questions.
The article just mentions about detecting devices hostname, OS, IP, etc.
But the only way to block a device is still only by MAC address.
Hi @IronMan ,
This KB might help:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Usage-of-application-control-to-block-Mobi...
I know your requirement can be achieve. I have done previously and its working.
It may depend on the firmware version too.
Hmm... I got it to work but I cannot block all Androids just like that as we have some machines running on Android that still need to access the network.
Is there a way to block it on other levels? Maybe by Android version? But I feel blocking by Hostname would be a lot safer and easier. Anyway to do that?
How random are the random macs? if the first few octets remain the same you can use a wildcard match in the mac address field. Usually first 6 digits are the vendor code that may not change even when randomising.
Sounds like the problem could be solved differently though, if these devices shouldn't be on the network how are they allowed to authenticate, if its a known shared psk, then perhaps look at using ppsk, or what about using radius so they need to login with AD credentials.
The MAC address is totally different each time. We're a somewhat small office, without any AD. Devices currently connect to WiFI via a single password. We have 4 consumer grade access points of varying brands. I doubt they have PPSK option. I'm trying to do this without additional costs.
Seems like a simple solution, but it's difficult.
Is there no way to block them via hostname? Some articles mention about hostname but don't mention how.
You should really use a NAC appliance for this (FortiNAC, Cisco ISE, Aruba ClearPass, etc.)
You can disable MAC address randomization on the devices or use a more persistent identification method like IP address or DNS filtering. Since MAC randomization bypasses MAC filtering, another approach is to implement radius-based authentication (802.1X), which requires users to authenticate via credentials. Alternatively, blocking by hostname can be attempted if the devices consistently use the same hostname, but this is less reliable. You could also consider using deep packet inspection or a network access control system to detect and block unauthorized devices based on patterns or behavior.
To block mobile phones from connecting to your WiFi network without relying on MAC addresses, you can consider implementing a solution like Network Access Control (NAC) or Endpoint Detection and Response (EDR) systems that can identify devices based on various attributes such as device type, operating system, or user credentials. Additionally, you can explore using solutions that offer device fingerprinting or integration with Mobile Device Management (MDM) platforms to enforce policies based on device characteristics rather than just MAC addresses.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.