Blocking mobile devices



  • Dear friends,

    I have a question, can we use a method/feature to block mobile devices like as access point of Cisco Meraki by OS detections?
    First, I think about forward to http to squid and detect user-agent, but impossible because:
    _Not implement with HTTPS
    _The packages are still running like as: broadcast, …. (Cisco Meraki block all packages, just work if mobile devices is allowed by Meraki: TCP[HTTP, HTTPS, …], UDP[DNS, …])

    Please give me a solution, the Cisco Meraki is too expensive to apply for wide environment

    Thanks!



  • It sounds as if you are looking for a solution that does device fingerprinting.
    Several wireless vendors offer solutions that do this (Aerohive, Aruba, Cisco, Extreme-Networks), but they are all enterprise grade solutions.

    pfSense claims that it allows you to do this at the rule level, in fact https://www.pfsense.org/about-pfsense/features.html says as much:

    pfSense software utilizes p0f, an advanced passive OS/network fingerprinting utility to allow you to filter by the Operating System initiating the connection. Want to allow FreeBSD and Linux machines to the Internet, but block Windows machines? pfSense software allows for that (amongst many other possibilities) by passively detecting the Operating System in use.

    When you click on Advanced Options when creating a rule, you will see a Source OS drop-down list that allows you to create filters based on the the type of OS, the problem is that this list doesn't appear to have been updated in many many years, as Apple, and Android are conspicuously missing!



  • Yes awebster, you are right. Exactly I need a feature/method which newest, in Advanced option is too old and not effective!



  • Back the first comment (thread) and with Captive Portal, may be I was wrong between HTTP and HTTPS, because any devices if wants out internet they need to access to HTTP Portal, which I configurated before.

    At the HTTP Portal, may be have 2 case:
    _Write config http service (in this case is lighttpd) or user javascript like that https://stackoverflow.com/questions/1005153/auto-detect-mobile-browser-via-user-agent to deny mobile device by user-agent: iOS, Android, …
    _Write a bash script which can be read the Portal's log file to filter MAC with user-agent, then tell DHCP server do not assign IP to that client, also block that MAC.

    This is my ideal, I think not good but I can not think another solution!

    Anyone can let me advice, suggest? Thanks!


  • LAYER 8 Global Moderator

    "block mobile devices"

    How would these mobile devices be accessing your wifi in the first place?  How do they have the creds?  So are you talking about a user that has a laptop and he knows how to auth to your wifi, so you want to stop him from adding his phone/tablet to your wifi network?

    Are these laptops issued by you.. Are they of specific model what software do they run.  Would be simple enough to create a mac based listed for these devices, so other vendors would have different mac, etc.  Why not just use a auth method that requires a cert on the devices you want to join, etc.  There are plenty of ways to skin a cat.  But missing the details of what cat this actually is to know the best way to skin it.

    If you could give more details of your setup, and what these mobile devices are your wanting to keep off your network..  How do they know how to auth to your wifi network?  If they are your users why not just tell them to not join their mobile devices, and if caught doing so they will be fired or all of their wifi access will be blocked, etc.


Log in to reply