MAC whitlist for an AccessPoint

SvG
Just browsing

MAC whitlist for an AccessPoint

All,

 

I use an MR33 access point linked to an MS220-8P. If I turn on the access policy for MAC whitelist on the MS220 switch the access point is able to communicate with the switch but no other device connected to the MR33 access point.

 

How could I make sure that I secure the switch port but also enable any device connected to the access point to communicate with my network?


Thank you

 SvG

 

5 REPLIES 5
PhilipDAth
Kind of a big deal
Kind of a big deal

Network infrastructure needs to trust other network infrastructure.  So you wont be able to authenticate the access point  or use the switch to only allow the access point to connect.

 

Also I'll let you think about what you proposed - you only want to allow the MAC address of the AP to connect, and the MAC address of any device attached to the AP.  So in effect, the net proposed security policy is to allow any MAC address to connect.

 

Adam
Kind of a big deal

Agreed with @PhilipDAth assessment.  But you do bring up a good point.  In our case, access points are usually not reachable without a ladder etc.  I assume you'll have some APs in a potentially accessible location where someone could conceptually unplug the AP then connect a laptop?

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
SvG
Just browsing

Right - you would need a ladder and special tools but "Where there is a will, there's a way". A connection over an AP would need a authentication.

SvG
Just browsing

------

Adam
Kind of a big deal

In our most secure environments we used 802.1x authentication.  Then you can whitelist the APs MAC and if a rogue device was connected to that port it would failover to a guest vlan.  

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels