Hey,
I'm trying to limit my students from using all of their devices on the school's wifi network at the same time.
I've changed policy-auth-concurrent to 1 (https://kb.fortinet.com/kb/documentLink.do?externalID=FD33675) in hope that this would help I use WPA2 enterprise for the SSID and I use the local FortiGate user database for authentication. I log on just fine, but it still lets me log on with both computer, phone etc. at the same time
My question is: Is policy-auth-concurrent the command to use for this or am I all wrong? Anyone know what I could be missing or if there are other commands more suitable for my problem
It used to be a simple task with my old Untangle firewall, but seems a bit more complicated here ;-) Sincerely Leswan
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
auth-concurrent should work. Make sure you haven't overridden those via auth-concurrent on per user or per group level with unlimited setting. Or on the other hand try to override global setting on per user level basis, as per user setting does have precedence over global setting (as it is more specific).
If you want to let them login from authorized devices only, then, besides of implementation of some serious NAC (Network Access Controller), you can also ...
1.
control access on IP level. Only specific IPs from workstations allowed. IPs set statically, no automatic IP assignment to new devices. Weak as one can set his own static IP.
2.
MAC based .. IPs assigned semi-statically by DHCP which will assign IP just to reserved MAC addresses.
Need to enroll MAC addresses to DHCP reservation. Small list can be maintained even by FortiGate. Bigger deployments should use separate DHCP server. IP per MAC assignment is old but still good trick.
Stronger as it's harder to get your MAC enrolled in, weak against misuse and setting IP from expected pool statically.
3.
802.1x port based authentication. Could be for example even EAP-TLS for wired or wifi. Certs and PKI involved and so cert enrollment for users/computers needed. For example FortiAuthenticator, if in place, can let users self-enroll their own device certificates but for set amount of devices, like 1 device only, to limit and have some control over BYOD scenario.
Enrollment can be controlled or even mandate admin approval.
That's more complex scenario and more secure from my point of view.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Thanks for the answer and all the extra options. I got it to work with Captive Portal. I will try to set up a RADIUS server at some point and see if I can get it to work with that instead.
It looks like you're on the right track, but the issue might be a bit more nuanced. The policy-auth-concurrent setting is indeed designed to limit the number of concurrent user sessions, but since you're using WPA2 Enterprise with local FortiGate authentication, there could be other factors at play. FortiGate's session limits typically apply to web authentication rather than WPA2 Enterprise, which might explain why you're still able to log in from multiple devices simultaneously.
To achieve what you're looking for—restricting users to one device at a time—you may need to explore more advanced features like per-user session limits under user group policies or consider using MAC filtering. Alternatively, leveraging FortiGate's captive portal and enabling device identity-based access control could provide more granular control over how many devices can connect per user.
If these options don’t work, you might want to check the FortiGate documentation or reach out to Fortinet support for more tailored guidance.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1712 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.