This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Block Smartphones from accessing Wifi

Hi,

Just would like to ask if is it possible to block smartphones (esp. android phones) from accessing wifi.

I have plenty of smartphones in the office and my access point is only limited to 30 devices so some important devices including laptops are unable to connect. Hopefully you can help me with this matter. Thanks



This thread was automatically locked due to age.
Parents
  • Recommended:

    If you are using password-based WiFi, you need to control the password.   Reset the password on the WiFi and reconfigure all of the allowed clients.  Then do not give away the password to others.

    Personal devices should be on a guest WiFi.  If you have a guest network, but do not have the licensing to support it, then turn it off.

    Other options:

    You could create a web filtering Filter Profile to require AD SSO authentication for Apple and Android operating systems.   This should make the phones useless for web access, which will reduce but not eliminate the number of people trying to use your WiFi from their phones.

    You could switch to 802.1X authentication for WiFi connections, so that only authorized devices can connect.   This can be complicated; I have read about it but not implemented it myself.    Not sure what support Sophos provides for 802.1x.

     

  • Thank you for your response I appreciate it. Can you please show me how to do it? the AD SSO Authentication. I am new to Sophos actually, I have an old tplink router and I made it to an access point connected to the sophos utm. I have configured the wireless and everything is working except that I want to block phones without knowing them . Thanks

  • OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • We implemented 802.1x machine authentication and it works a treat. Basically the only clients that are allowed to connect are clients that are listed within our AD groups.

    It's far superior to user authentication and now we have users with:

    1. Users with laptops tablets - the clients automatically connect when with range and therefore get updates, definitions etc prior to the user logging on. Before we had user authentication so clients never connected until the user actually logged on.

    2. Mobiles - only our mobiles can connect. Before the user could put their password into any device and it connected. Passwords don't come into it anymore.

    3. Wired clients - now only our pc's, printers etc can connect whereas prior to this, anything could be plugged in.

    It can be a little tricky to setup eg redundancy etc but well worth it in the end ie it's centralised.

     

  • This will not solve your licensing problem, because UTM remembers MAC addresses for a week.   The correct solution is to get control of your WPA2 passwords.   But since you asked...

    1) Create or modify a Transparent Web Filter Profile and Enable AD SSO authentication.   Apply it to the IP addresses associated with your WiFi.   Optionally, use the "Device-Specific Authentication" option to choose a different mode for your Windows devices and AD SSO for Android and IOS.   Cell phones will silently fail AD SSO authentication.

    2) Within that Filter Profile, create a Policy object and check the option for "Apply this policy to unauthenticated users".

    3) Link that Policy to the "Default Block" Filter Action, or create one of your own that is sufficiently oppressive.

    For more details on Web Filtering, read the articles in the WiKi for initial information, and the articles pinned to the top of the Web Filtering forum for advanced topics.

Reply
  • This will not solve your licensing problem, because UTM remembers MAC addresses for a week.   The correct solution is to get control of your WPA2 passwords.   But since you asked...

    1) Create or modify a Transparent Web Filter Profile and Enable AD SSO authentication.   Apply it to the IP addresses associated with your WiFi.   Optionally, use the "Device-Specific Authentication" option to choose a different mode for your Windows devices and AD SSO for Android and IOS.   Cell phones will silently fail AD SSO authentication.

    2) Within that Filter Profile, create a Policy object and check the option for "Apply this policy to unauthenticated users".

    3) Link that Policy to the "Default Block" Filter Action, or create one of your own that is sufficiently oppressive.

    For more details on Web Filtering, read the articles in the WiKi for initial information, and the articles pinned to the top of the Web Filtering forum for advanced topics.

Children
No Data