Hot!Prevent students from using both computer, phone and tablet at the same time

Author
Leswan
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2021/03/08 01:48:28
  • Status: offline
2021/05/20 10:42:17 (permalink)
0

Prevent students from using both computer, phone and tablet at the same time

Hey,
I'm trying to limit my students from using all of their devices on the school's wifi network at the same time.
 
I've changed policy-auth-concurrent to 1 (https://kb.fortinet.com/kb/documentLink.do?externalID=FD33675) in hope that this would help

I use WPA2 enterprise for the SSID and I use the local FortiGate user database for authentication. I log on just fine, but it still lets me log on with both computer, phone etc. at the same time
 
My question is: Is policy-auth-concurrent the command to use for this or am I all wrong? Anyone know what I could be missing or if there are other commands more suitable for my problem


It used to be a simple task with my old Untangle firewall, but seems a bit more complicated here ;-)

Sincerely

Leswan
#1

1 Reply Related Threads

    xsilver_FTNT
    Expert Member
    • Total Posts : 589
    • Scores: 161
    • Reward points: 0
    • Joined: 2015/02/02 03:22:58
    • Location: EMEA
    • Status: offline
    Re: Prevent students from using both computer, phone and tablet at the same time 2021/06/14 23:40:05 (permalink)
    0
    Hi,
    auth-concurrent should work. Make sure you haven't overridden those via auth-concurrent on per user or per group level with unlimited setting. Or on the other hand try to override global setting on per user level basis, as per user setting does have precedence over global setting (as it is more specific).
     
    If you want to let them login from authorized devices only, then, besides of implementation of some serious NAC (Network Access Controller), you can also ...
    1.
    control access on IP level. Only specific IPs from workstations allowed. IPs set statically, no automatic IP assignment to new devices. Weak as one can set his own static IP.
     
    2.
    MAC based .. IPs assigned semi-statically by DHCP which will assign IP just to reserved MAC addresses.
    Need to enroll MAC addresses to DHCP reservation. Small list can be maintained even by FortiGate. Bigger deployments should use separate DHCP server. IP per MAC assignment is old but still good trick.
    Stronger as it's harder to get your MAC enrolled in, weak against misuse and setting IP from expected pool statically.
     
    3.
    802.1x port based authentication. Could be for example even EAP-TLS for wired or wifi. Certs and PKI involved and so cert enrollment for users/computers needed. For example FortiAuthenticator, if in place, can let users self-enroll their own device certificates but for set amount of devices, like 1 device only, to limit and have some control over BYOD scenario.
    Enrollment can be controlled or even mandate admin approval.
    That's more complex scenario and more secure from my point of view.
     

    Tom xSilver, planet Earth, over and out!
    #2
    Jump to:
    © 2021 APG vNext Commercial Version 5.5