Block personal wireless devices at work
I think my question will be answered by "you can't" but here it goes......
I want to tighten up my wireless access at work and deny services to cell phones / tablets/ etc. Only allow work PC's and laptops. Everything else (IoT) can connected on a 'guest' network.
Aside from cataloging each laptop / PC MAC address and set a rule that if it does not match access is forbidden is there an "easier softer way" to restrict use to a staff WiFi?
The other way I thought of, is monitor the staff WiFi for any phones / tablets and block them when I see it. Again, a horrible tedious exercise.
So, please let me know if there is a way. If not, my days will be occupied as the WiFi Gestapo.
802.1x auth on your APs? If they support it.
If nothing else it would make it inconvenient to connect other things. You would also log everything that is connecting making it easier to block things.
You're close to the optimal solution :
the WiFi Gestapo
You have to make all the allowed members of your trusted network member of the Gestapo club.
Like this :
You change the Wifi password, and inform each allowed member of this password.
You do this ones.
Next time, when you see a non allowed member on the network, you change the Wifi password again.
This time you tell no one.
They (the allowed ones) will find you.
Only then, you tell them that you had to change the password because some "some one" of your gestapo group wasn't able to keep his mouth shut.
This will probably happen one or two times after that - and then the issue stops. As all the members of your group will have one identical goal : find the one that talks. And working as a group, the individual will get caught.
Edit : if this works out, call me, I'll bring the crude oil and feathers.
Or transform your trusted LAN in a captive portal. Now you can add MAC based rules, as ipfw, the captive portal firewall can handle MAC's - the ordinary pf firewall can not.
Thanks so much for your solution. This crosses into the realm of "sneaky pete".
However, it certainly seems like the best solution with a short learning curve for users.
This is how I do it at work, since I'm in charge of all the tech gear.
I have 2 wireless networks - 1 is the LAN (trusted) network, the other is a GUEST network (VLAN'd away from the LAN network). I put all the work gear on the LAN network, and don't share the password. I don't even share it with the owners. It is in a safe spot, just in case they need it, 'cuz I don't want to hide anything from them. The GUEST network also has a password, but it's shared openly - on the bulletin board, on some small signs in the training & conference rooms, on some p-touch label stickers on the clocks, etc. This network is used for employees that bring their personal gear to the office - cell phones, tablets, smart watches, and other stuff.
Basically, what I would suggest, lock down the trusted wireless network with a good password, and make the GUEST or other wireless networks plain simple to get on.
Thanks so much for the suggestion. It seems fairly painless for all.