Meraki

Community

ID non-approved client devices & take action based off MAC?

wecnal
Here to help
‎Jan 9 2023 9:00 AM
‎Jan 9 2023 9:00 AM

ID non-approved client devices & take action based off MAC?

I recently took over management of a Meraki org with 600+ retail/warehouse combo locations. In each of these there is an MX, at least one switch (MS225 series for the most part) and one or more MR- WAPs. Network config consists of two VLANs, one for corp devices with VPN access to a hub, and one isolated for credit card/payment devices. I'm trying to figure out a way to identify non-approved/non-corp client devices on every network, and push them onto a separate (not yet created) VLAN for guest-related purposes. I'm looking for options on how to accomplish this.

 

In the past, I have seen this solved (with the help of an SE team) by creating a python script that listens to a syslog for DHCP-related events and then taking action for each client on each network accordingly via APIs. This, of course, assumes that I have the OUI of the MAC address for each approved client device/type (which I do). But I don't have those python resources at this new job, and it's beyond my scripting abilities to create it from scratch.

 

Is there any off the shelf/other method of accomplishing this? I've heard Cisco ISE could do it, and I'm going to be looking into that. But curious for any other solves. Thanks!

0 Kudos
3 Replies 3
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jan 9 2023 12:48 PM
‎Jan 9 2023 12:48 PM

I don't suppose you would be lucky enough for all the corporate-owned devices to be Windows computers belonging to Active Directory?

0 Kudos
In response to PhilipDAth
wecnal
Here to help
‎Jan 9 2023 12:50 PM
‎Jan 9 2023 12:50 PM

Still trying to figure this one out. I would say the majority of them, yes - at least enough to have a great starting point. What do you have in mind?

0 Kudos
In response to wecnal
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jan 9 2023 12:56 PM
‎Jan 9 2023 12:56 PM

You could enable both wired and wireless 802.1x authentication and have those machines authenticate with their AD machine accounts (or you could use users' accounts instead).  You can authenticate against Microsoft NPS (RADIUS built into Windows server - no extra cost).  You can also push a VLAN to dynamically move users into a new VLAN.

 

Here is an example of how to set it up on a Meraki switch.

https://documentation.meraki.com/MS/Access_Control/MS_Switch_Access_Policies_(802.1X) 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.