Banning Mobile Devices from WiFi

Can you ban mobile devices from using your wifi?
I don't mean by using the MAC, I mean is there an identifier that can be used to determine if a device is iOS or an Android variant?

Other urls found in this thread:

lmgtfy.com/?q=how to TCP finger print
nmap.org/nmap-fingerprinting-article.txt
twitter.com/NSFWRedditGif

Bump for intrest

we can see the ip count, dumbass

A mask for mac address, or analyze the os with nmap and poisoning the arp to cut them out.

Just ditch wifi and use Ethernet like a sensible person.

I would but our office is filled with people who are demanding wifi.

They can get fucked. It's a wide open security risk. Monitor the office for wireless dongles too. Then get the employee fired for allowing a virus into the network.

Yes but it would be too advanced for you, and I can't be bothered to smash bits of knowledge and feed you

Wish I could, I watch hak5 and I get that it's not a great idea guys, but I have to keep it because the office just dropped 8 grand on our update with 2 wifi access points and a sonicwall firewall. I just need the answer for filtering mobile devices without knowing their mac.

Fuck-off or give me the break down of it,

it can be done but you'll need to send me buttcoins before i teach you how to do it :^)

Ignoring spoofing, MAC addresses are your best bet here. After that, tcp fingerprinting, which you generally do a port scan to get enough info to do. If you force users to a clickthrough, you could do user agent detection.

Thanks man
I'm using a SonicPoint. I was thinking I might need to get a Maraki

MAC filtering of any kind is completely worthless and doesn't gain you anything. It's trivial to spoof MAC addresses.

It's more than enough to stop the mass of people that go "GIB WIFI PASSWORD PLOX"

I'm not dealing with any geniuses at our site.'
It could be argued that they're retarded actually.

Radius server.

>
>MAC filtering of any kind is completely worthless and doesn't gain you anything. It's trivial to spoof MAC addresses.
Trivial on Linux & windows. Quite a bit harder on mobile devices, especially if you don't jailbreak. Add to the fact that almost no iPhone users bother to jalbreak, and many Android users don't either, and you'll catch most users. The sad thing is, the same goes for computer users, even though they can spoof so much more easily. People are lazy. Never forget that.

Anyway, it's not foolproof, it just weeds out %90+ for you. You do this in layers.

I suppose it keeps out the most casual of users, but MAC filtering of any kind should not be considered security in any sense.

Yeah we're all still stuck on MACs.
C'mon guys I need something more fancy to identify Devices other than a windows machine and reject their connection.

Identify browsers. Safari.

Most devices aren't just going to leak their operating system details to you over the network.

User agents are completely trivial to spoof as well, even more so than MAC addresses.

Android and iOS both can use Chrome.

But when was the last time you were booted from a network because of your browser. People won't pick it. And security should never just be one thing but a combination of methods and fail-safes.
Chrome should be auto boot as well.

This is driving me nuts.
Can someone explain how TCP finger printing?

lmgtfy.com/?q=how to TCP finger print

Here you go: nmap.org/nmap-fingerprinting-article.txt

If you're cutting out the non-tech savvy 90% of users then are you really worried about the remaining 10% of people (who know their shit) bringing malware into the network?

Yes

The user agent strings for mobile Chrome and desktop Chrome are very much distinct from each other.

Certificate based authentication for domain devices.

Use a capitve portal with js. Get the screen width. If the width is less than a laptop then disable the confirm button.

This is complicated though
It will require captive portal software web servers, etc.

Cisco Identity Services Engine should be able to do this.

We have it at work and use it to appropriately assign certificates on a per-device basis, but I'm sure you could have it configured to block certain devices.

It does it via some proprietary black magic I don't quite understand (I'm switching/routing/VOIP not ISE skilled) to create device signatures based on some shit. Not sure. Do some reading if you're interested, but such a solution is gonna cost money, especially if you're buying Cisco.

Me again. As an extension to this, get a proper engineer to help with a good support contract.

If you're not already a Cisco shop it might be a bit harder to implement, I'm sure it uses CDP somehow and has some shit that only works on Cisco WAPs but I'm not sure so. But if you want a way to do it in a corporate environment, try it out.

THIS RIGHT HERE OP

run AAA with protocol(s) that can detect OS's on devices. I'd talk to someone at Cisco

Cisco Meraki has this as a feature. Bet a lot of other manufacturers do as well.

This is another good piece of advice and you should be doing it (or some other form of 802.11x auth) as part of your wireless deployment.

you're an idiot and don't know how MAC addresses are allocated
>hint it's by company/device type

May I know why? Not being snarky here. Just curious. Couldn't you have the wifi as a separate network so that your users can browse Reddit and not install viruses on your workstations?