cancel
Showing results for 
Search instead for 
Did you mean: 

Blocking Access to SSID Without Splash Page

New here

Blocking Access to SSID Without Splash Page

Good day! I'm conducting research for my employer as our TechOps teams has a learning curve on Meraki. Currently, we are learning how to set up MAC-based access control to a test SSID network for mobile devices.

 

We enabled devices to access our test SSID controlled by a MAC address. However, there's an issue - any device can access the test SSID, when the Sign-On Splash page is disabled.

 

QUESTION

When you're not using a Sign-On SplashPage to access an SSID, how do you restrict users without having to add them to a blacklist?

 

Thank you!

10 REPLIES 10
Kind of a big deal

Re: Blocking Access to SSID Without Splash Page

We set up ours with this configuration.

Capture.PNG

Then we whitelist mac addresses that should be able to connect and they don't get the sign-on screen.  This prevents others from being able to connect.  Although whitelisting the mac also makes them exempt from other restrictions like traffic shaping etc so it isn't a perfect solution. 

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
New here

Re: Blocking Access to SSID Without Splash Page

Great, thanks for the response! I pose a concise and clearer question.

 

How do I block users from accessing a SSID network without using the Sign-On Splash page or blacklisting the user's device MAC-address? 

Kind of a big deal

Re: Blocking Access to SSID Without Splash Page


@Othello wrote:

Great, thanks for the response! I pose a concise and clearer question.

 

How do I block users from accessing a SSID network without using the Sign-On Splash page or blacklisting the user's device MAC-address? 


My above response would disallow any computer from connecting to the SSID unless it was whitelisted.  It would not require a splash page.  If the user were not whitelisted then they'd get a Meraki Login page to which they don't have credentials.  But from your revised question, I'm assuming you are wanting to allow anyone to connect except a selection of blacklisted MAC addresses?

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
Kind of a big deal

Re: Blocking Access to SSID Without Splash Page

What's the purpose of this SSID? Is it meant to support BYOD or company owned devices? 

MRCUR | CMNO #12
New here

Re: Blocking Access to SSID Without Splash Page

Thanks all!

 

We created an SSID in our network for testing purposes. The purpose was to test the ability to restrict connectivity to this SSID purely based on the MAC address of devices. The test "seemed" to work, as we tested w/ and w/o the Sign-On Splash page.

 

However, we encountered a problem. Unauthenticated users, devices with MAC addresses not blacklisted nor whitelisted, were able to connect to the SSID. It seems the only way to prevent this problem is to enable the Sign-On Splash page. Therefore, only devices with MAC addresses whitelisted, can connect to the SSID after user submits valid credentials on the Sign-On Splash page.

 

What is a one-size-fits-all solution to address the following:

 

1. Restrict unauthenticated users (devices) from accessing the SSID, without blacklisting the MAC Address or using a Sign-On Splash page.

 

2. Allow authenticated users (devices) to access the SSID, by whitelisting the MAC Address, without using a Sign-On Splash page

 

Without using Sign-On Splash page, we want authenticated devices to access the SSID and restrict unauthenticated devices from accessing the SSID.

Kind of a big deal

Re: Blocking Access to SSID Without Splash Page

Do you require MAC based auth for the SSID or can you implement 802.1X (hosted by Meraki or yourself)? I typically do everything possible to not deploy MAC based auth as it's a pain to manage compared to using 802.1X and having people auth with their existing AD accounts (or Meraki accounts). 

MRCUR | CMNO #12
New here

Re: Blocking Access to SSID Without Splash Page

Currently, we don't have any policy in place. Guests and employees alike can access the SSID in the office. Start up culture through and through over here! This is the purpose for testing MAC-based authoriziation for the SSID. From what I gather, 802.1X requires a Radius server, which we do not have.

 

Based on the information provided, what is our solution?

 

Thanks

Kind of a big deal

Re: Blocking Access to SSID Without Splash Page

I'd suggest creating two SSID's - one for employees and one for guests. 

 

For the employee SSID, I would use Meraki hosted 802.1x. You manage the accounts through Dashboard and users will connect to the SSID using the email & password associated with the account. No unauthorized devices or users will be able to connect. If a user needs to be disabled, easy to do in Dashboard and then they lose access. 

 

For the guest SSID, you could have an open SSID with a splash page or use Meraki guest auth (which can do IT managed accounts or have users request access from employees - sponsored guest mode). You can run this SSID in NAT mode so that the AP's handle the IP addressing and block guests from accessing internal resources. 

MRCUR | CMNO #12
New here

Re: Blocking Access to SSID Without Splash Page

Thanks for the offering such a sound and useful solution. Greatly appreciate your feedback!

 

Systems Manager, Meraki's Enterprise Mobility Management (EMM) tool allows for devices to be remotely managed. This might be a better option, per my colleague in TechOps. (fingers crossed) Info links are provided below, for your convenience.

 

https://meraki.cisco.com/lib/pdf/meraki_datasheet_sm.pdf

 

https://documentation.meraki.com/MR/Splash_Page/Systems_Manager_Sentry_Enrollment

 

Blessed day to you.

Kind of a big deal

Re: Blocking Access to SSID Without Splash Page

Systems Manager would give you access to Sentry WiFi, which is Meraki hosted 802.1X including a hosted PKI infrastructure so you can very easily deploy certificate based WiFi auth (EAP-TLS). If you're interested in the other benefits of SM for your managed devices, I would absolutely recommend deploying Sentry WiFi. 

 

Just keep in mind that if you go the Sentry WiFi route, the SSID you enable it on will *only* support SM enrolled devices. If you want to have guests connect that do not enroll into your SM network (you'd need to pay for a license if you allowed this), you would still need a second SSID for them. 

MRCUR | CMNO #12
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.