Wish: Only allow specified MAC addresses to connect

Mr_IT_Guy
A model citizen

Wish: Only allow specified MAC addresses to connect

On almost all home routers, you can set up your network to allow only specified MAC addresses to connect. With Meraki, the device has to been seen first before you can deny it. Engineers I've talked to have confirmed this and we've put in several tickets on the matter. I'd like to be able to setup a Z1 so that it blocks all MAC addresses except for those that we specific without having to have seen the device first.

Found this helpful? Give me some Kudos! (click on the little up-arrow below)
10 Replies 10
MerakiJockey505
Building a reputation

I've come across this before also.  Though it is a bit tedious, I've had success configuring a RADIUS server and using authentication via MAC-based access control found in the Access Control tab under Wireless.  It definitely is a pain for larger networks and multiple clients, but it will work in a pinch.  If your using a Z1 you probably won't have too hard of a time configuring for a small amount of users.

NFL0NR
Building a reputation

I take it these are settings on the radius server you mean, cause I don't remember seeing anything about entering a mac address into the z1

MRCUR
Kind of a big deal

This would be using 802.1X auth against your own RADIUS server.
MRCUR | CMNO #12
robby_barnes
Getting noticed

 


@Mr_IT_Guy wrote:
On almost all home routers, you can set up your network to allow only specified MAC addresses to connect. With Meraki, the device has to been seen first before you can deny it. Engineers I've talked to have confirmed this and we've put in several tickets on the matter. I'd like to be able to setup a Z1 so that it blocks all MAC addresses except for those that we specific without having to have seen the device first.

Absolutely yes.  It would also be really awesome if you could set this at an organization level (or at least a template level) so that you can apply it across large networks very quickly.

RodrigoC
Meraki Employee
Meraki Employee


@robby_barnes wrote:

 


@Mr_IT_Guy wrote:
On almost all home routers, you can set up your network to allow only specified MAC addresses to connect. With Meraki, the device has to been seen first before you can deny it. Engineers I've talked to have confirmed this and we've put in several tickets on the matter. I'd like to be able to setup a Z1 so that it blocks all MAC addresses except for those that we specific without having to have seen the device first.

Absolutely yes.  It would also be really awesome if you could set this at an organization level (or at least a template level) so that you can apply it across large networks very quickly.


Hey @robby_barnes,

Hey @Mr_IT_Guy,

 

I have good news for you. The behavior you describe can be achieved by using the Dashboard 'Clients' page (Network-wide > Clients).

 

If you look in the top right-hand corner of the Clients page, you will see an 'Add client' button ( image attached below ). Using this button, you can add clients using their mac address, individually or multiple at a time, and specify what policy you would like applied to those devices.

add client.png

If what you are looking to do is have all traffic denied by default and only allow traffic for any pre-added device all you need to do is the following:

- Set your layer 3 firewall to Deny all traffic

- Add the list of trusted MAC addresses to the client's page and set their desired policy to 'Whitelist' (if you don't want them restricted in any way) or to a specific group policy.

 

Hope this helps! 

 

 

robby_barnes
Getting noticed

@RodrigoC That does help, but it would be even better if that could be done for the organization, rather than a network.  Is there any way to do that for an org?

 

 


@RodrigoC wrote:

@robby_barnes wrote:

 


@Mr_IT_Guy wrote:
On almost all home routers, you can set up your network to allow only specified MAC addresses to connect. With Meraki, the device has to been seen first before you can deny it. Engineers I've talked to have confirmed this and we've put in several tickets on the matter. I'd like to be able to setup a Z1 so that it blocks all MAC addresses except for those that we specific without having to have seen the device first.

Absolutely yes.  It would also be really awesome if you could set this at an organization level (or at least a template level) so that you can apply it across large networks very quickly.


Hey @robby_barnes,

Hey @Mr_IT_Guy,

 

I have good news for you. The behavior you describe can be achieved by using the Dashboard 'Clients' page (Network-wide > Clients).

 

If you look in the top right-hand corner of the Clients page, you will see an 'Add client' button ( image attached below ). Using this button, you can add clients using their mac address, individually or multiple at a time, and specify what policy you would like applied to those devices.

add client.png

If what you are looking to do is have all traffic denied by default and only allow traffic for any pre-added device all you need to do is the following:

- Set your layer 3 firewall to Deny all traffic

- Add the list of trusted MAC addresses to the client's page and set their desired policy to 'Whitelist' (if you don't want them restricted in any way) or to a specific group policy.

 

Hope this helps! 

 

 


 

RodrigoC
Meraki Employee
Meraki Employee


@robby_barnes wrote:

@RodrigoC That does help, but it would be even better if that could be done for the organization, rather than a network.  Is there any way to do that for an org?

 

@robby_barnes

 

Unfortunately not.  =/

 

However, it's worth noting that if you clone a network, all manually added MAC addresses along with their applied policy will transfer over to the new network. If a new site that requires the discussed restrictions is being deployed, you should be able to clone the new network from a site that already has this policy implemented and simply add a default 'deny any-any' firewall rule to achieve the same configs.

 

Not quite an Org-wide config, but should help save some clicks when provisioning new networks. 😃

robby_barnes
Getting noticed

That is good to know that if you clone a network that is included.  Any luck on templates?  We don't usually clone networks but we do have a very large template for all of our locations.

 


@RodrigoC wrote:

@robby_barnes wrote:

@RodrigoC That does help, but it would be even better if that could be done for the organization, rather than a network.  Is there any way to do that for an org?

 

@robby_barnes

 

Unfortunately not.  =/

 

However, it's worth noting that if you clone a network, all manually added MAC addresses along with their applied policy will transfer over to the new network. If a new site that requires the discussed restrictions is being deployed, you should be able to clone the new network from a site that already has this policy implemented and simply add a default 'deny any-any' firewall rule to achieve the same configs.

 

Not quite an Org-wide config, but should help save some clicks when provisioning new networks. 😃


 

Mr_IT_Guy
A model citizen

@RodrigoC, just tried to do this on our network and it did not work. Not only was I able to still reach the Internet and connect to our internal resources, I was able to also reach restricted content that was supposed to be blocked due to webfilter. Is this occuring because we are forwarding all traffic back to our HQ? Need some help on this as this is really stopping us from getting more Z1s for our over 200+ remote users.

Found this helpful? Give me some Kudos! (click on the little up-arrow below)
Mr_IT_Guy
A model citizen

@RodrigoC, forget my previous comment. Got it working! While not having the FULL functionality of content filtering, this is at least a very good start.

 

Thanks!

Found this helpful? Give me some Kudos! (click on the little up-arrow below)
Get notified when there are additional replies to this discussion.