Switch Port Security with NPS and MAC address

Toddhank
New here

Switch Port Security with NPS and MAC address

I hope I did not just make a big mistake switching to Meraki Switches. I am looking for directions to setup port security using a Microsoft NPS and MAC addresses.

 

Simple Explanation:

Since I know the MAC addresses of our equipment, I was hoping to use those addresses like an ACL for the switch ports. If I have a radius server can I setup port security not authentication where if the device MAC address is plugged in the switch port the port is enabled or not.

 

Is something like this possible with Meraki?

3 Replies 3
ww
Kind of a big deal
Kind of a big deal
alemabrahao
Kind of a big deal
Kind of a big deal

What you can do is create an access policy, port security you won't be able to do using a Radius server.

 

https://documentation.meraki.com/MS/Access_Control/MS_Switch_Access_Policies_(802.1X)#Access_Policy_...

 

 

 

  • Access Policy: Apply a restriction policy to this port

 

https://documentation.meraki.com/MS/Port_and_VLAN_Configuration/Switch_Ports#Port_configuration

 

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
PhilipDAth
Kind of a big deal
Kind of a big deal

> I am looking for directions to setup port security using a Microsoft NPS and MAC addresses.

 

This is not so much a Meraki issue, as a limitation on Microsoft NPS capabilities.  Microsoft NPS can do this - you have to create a username in AD that is the MAC address and also make the password the MAC address.

I don't personally like how NPS does it this way, as anyone can now try logging into AD using the MAC address of a device on your network.

Only NPS (to my knowledge) does it this way - but it is "free" (as in, included in your Windows Server licence).  You get what you pay for ...

 

It is more common with wired NPS deployments to use PEAP+MSCHAPv2 authentication.  This lets you authenticate all AD members based on either (or both) of the computer AD account and the user AD account.  You can also do EAP-TLS authentication, where you authenticate using a certificate (actually there are lots of options - these are my favourite two).

If you want to authenticate things like printers, you are more likely to get EAP-TLS working.

Note that you can have both methods enabled at the same time.

 

 

Meraki switches do support "port security" with a static MAC whitelist.  This doesn't use RADIUS, or anything external.

https://documentation.meraki.com/MS/Port_and_VLAN_Configuration/Switch_Ports#Port_configuration 

 

 

You can also mix both approaches.  Use port security with a static MAC whitelist for switch ports used with printers and the like, and wired 802.1x with Microsoft NPS for "windows" switch ports.

Get notified when there are additional replies to this discussion.