MAC allow list query - Meraki APs wont pass connected users

Solved
WayneRCN
Conversationalist

MAC allow list query - Meraki APs wont pass connected users

Hi we have introduced MAC allow list on our MS ports. After setting this up to test on one of our Networks we have been able to add printers, dects and Teams TMRs to MAC allow list for specific port configuration without a problem.

 

However when we have come to add Meraki APs to a MAC allow list of a MS port we have found that if any users then connect to the wifi connectivity of the Meraki AP then they are unable to get internet connectivity from the previously working fine SSID before the Meraki AP was added to MAC allowed list.

 

When looking at the individual display of the port on the MS in this scenario the client section shows 2x MAC addresses. One being the MAC of the Meraki AP and one being the MAC of the user connected to the Meraki AP.

 

Is there a setting or some configuration that is required to allow us to add the Meraki APs to MAC allow list making the MS port more secure without affecting wifi users please?

1 Accepted Solution
GreenMan
Meraki Employee
Meraki Employee

Remember that, in many instances (bridged SSIDs) an AP is not routing;   traffic from each client will appear with it's own MAC address.   Each of those MACs must be in the allow table, in order to work.

I'd recommend looking into SecurePort instead, in relation to APs connecting to the LAN:   https://documentation.meraki.com/MS/Access_Control/Secure-Port

View solution in original post

2 Replies 2
RaphaelL
Kind of a big deal
Kind of a big deal

Hi ,


This is the expected behavior.  Ditch the MAC allow list and configure SecurePort it will be way more secure that what you are trying to achieve. 

 

https://documentation.meraki.com/MS/Access_Control/SecurePort_(formerly_known_as_SecureConnect)

GreenMan
Meraki Employee
Meraki Employee

Remember that, in many instances (bridged SSIDs) an AP is not routing;   traffic from each client will appear with it's own MAC address.   Each of those MACs must be in the allow table, in order to work.

I'd recommend looking into SecurePort instead, in relation to APs connecting to the LAN:   https://documentation.meraki.com/MS/Access_Control/Secure-Port

Get notified when there are additional replies to this discussion.