Block connections to the internet

Solved
JohnUK
Here to help

Block connections to the internet

We are using MX65 at sites which give out a DHCP address which allows lan connections to get to the internet via the MX65

 

Is there anyway I can block all connections except the ones I authorise without using 802.1x?  I want to stop users just plugging in pc/printers into the MX65.

1 Accepted Solution
JohnUK
Here to help

Thanks MR-IT-GUY, that will work.

View solution in original post

6 Replies 6
Adam
Kind of a big deal

Couldn't you just disable the unused ports?

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
MilesMeraki
Head in the Cloud

Isn't this the whole point of 802.1x? I.e If a client doesn't authenticate it doesn't get an IP/Connection? Therefore devices which can't authenticate via a wired connection regardless if it's a printer/laptop/pc won't get internet connection

 

Have a read of this knowledge base article, it also gives you examples of how to configure - https://documentation.meraki.com/MX-Z/Access_Control_and_Splash_Page/MX_Access_Policies_(802.1X) 

Eliot F | Simplifying IT with Cloud Solutions
Found this helpful? Give me some Kudos! (click on the little up-arrow below)
JohnUK
Here to help

Adam - I use a standard switch connected to the MX65 so cannot block every port

 

WANKiller - I realise I can use 802.1x, but didnt want to goto the expense or hassle of implementing 802.1x

 

On previous firewall I have used you can just authorise MAC addresses

Adam
Kind of a big deal

Only somewhat inexpensive option I can think of then would be to get a small Meraki switch so you can go back to MAC authentication.  Otherwise 802.1x is the only other feasible option but far more complex.

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
Mr_IT_Guy
A model citizen

Looks like I forgot to hit post on this yesterday. There is a easy way to do this, but requires a bit of setup.

  1. Create group policies for your network based on client needs. This is found under Network Wide > Configure > Group Policies
  2. Navigate to Security Appliance > Configure > Firewall
  3. In the Outbound Rules area under Layer 3, create a rule to Deny Any traffic from Any Source to Any Destination.

Now that you've done all this, for any client you want to allow Internet access, just assign them a group policy. If someone tries to plug into the MX device and they do not have a group policy assigned to them, they will not get Internet access. If you know the MAC address of the device prior to them connecting, you can add it under the clients page and assign a policy so that they will have access right away.

Found this helpful? Give me some Kudos! (click on the little up-arrow below)
JohnUK
Here to help

Thanks MR-IT-GUY, that will work.

Get notified when there are additional replies to this discussion.