Meraki

Community

Restrict access to LAN

WarrenG
Getting noticed
‎Sep 11 2018 7:46 PM
‎Sep 11 2018 7:46 PM

Restrict access to LAN

We are trying to create a scenario where we can control access to our primary LAN depending on whether a computer or user is "trusted" or "untrusted". We have Active Directory, so by default any computer that is part of the AD should be trusted. In addition, we need to be able to add other computers to the trusted computers group (eg for consultants). If a computer is not joined to the AD, or is not explicitly trusted, then it should be untrusted. Untrusted computers should get Internet access, but no access to the LAN. We have an MX64 with advanced security license, and also Meraki switches and Wireless APs. We need to be able to do this for both wired and wireless clients. Is this scenario possible? Thanks all for your help!

0 Kudos
5 Replies 5
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Sep 11 2018 8:38 PM
‎Sep 11 2018 8:38 PM

Yes.  Ideally you would use 802.1x on wired and WiFi (can't do it on the MX directly).  You drop authenticated users into the main VLAN and other users into the "guest" vlan.  Ditto on WiFi (well rather, authenticated users can access the SSID and you use a separate SSID for guest users).

You will need to deploy the NPS server role.  There is quite a bit of work involved.

 

With regard to switches:

https://documentation.meraki.com/MS/Access_Control/MS_Switch_Access_Policies_(802.1X)

For WiFi you would use WPA2-Enterprise mode (this even has an NPS walkthrough for WiFi):

https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_RADIUS_Authentication_...

 

In response to PhilipDAth
WarrenG
Getting noticed
‎Sep 11 2018 8:43 PM
‎Sep 11 2018 8:43 PM

Thanks Philip, much appreciated! This is RADIUS/NPS stuff is new to me, so trying to digest it all. Is my assumption correct that users would use their AD username and password to authenticate against the RADIUS/NPS server? If not, what username/passwords would they use?

0 Kudos
In response to WarrenG
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Sep 11 2018 8:44 PM
‎Sep 11 2018 8:44 PM

Typically you configure PEAP for the outer layer and use MSCHAPv2 for the inner layer.  If you do that, and it is a Windows AD joined machine, it will authenticate automatically as the logged in user without the user having to do anything.

0 Kudos
In response to PhilipDAth
WarrenG
Getting noticed
‎Sep 11 2018 8:46 PM
‎Sep 11 2018 8:46 PM

Awesome, thanks. Sounds like I got some reading to do!

0 Kudos
In response to WarrenG
Adam
Kind of a big deal
‎Sep 12 2018 6:27 AM
‎Sep 12 2018 6:27 AM

+1 for what @PhilipDAth said.  RADIUS would be your easiest route.  You can add NPS to a windows server and configure 802.1x to send authorized devices to a trusted VLAN and non authorized devices to a guest VLAN on the Meraki side. 

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.