Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Switch Port Security with NPS and MAC address

Toddhank
New here
‎Mar 22 2024 11:10 AM
‎Mar 22 2024 11:10 AM

Switch Port Security with NPS and MAC address

I hope I did not just make a big mistake switching to Meraki Switches. I am looking for directions to setup port security using a Microsoft NPS and MAC addresses.

 

Simple Explanation:

Since I know the MAC addresses of our equipment, I was hoping to use those addresses like an ACL for the switch ports. If I have a radius server can I setup port security not authentication where if the device MAC address is plugged in the switch port the port is enabled or not.

 

Is something like this possible with Meraki?

0 Kudos
Subscribe
3 Replies 3
alemabrahao
Kind of a big deal
Kind of a big deal
‎Mar 22 2024 11:21 AM
‎Mar 22 2024 11:21 AM

What you can do is create an access policy, port security you won't be able to do using a Radius server.

 

https://documentation.meraki.com/MS/Access_Control/MS_Switch_Access_Policies_(802.1X)#Access_Policy_...

 

 

 

  • Access Policy: Apply a restriction policy to this port

 

https://documentation.meraki.com/MS/Port_and_VLAN_Configuration/Switch_Ports#Port_configuration

 

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 23 2024 3:30 PM
‎Mar 23 2024 3:30 PM

> I am looking for directions to setup port security using a Microsoft NPS and MAC addresses.

 

This is not so much a Meraki issue, as a limitation on Microsoft NPS capabilities.  Microsoft NPS can do this - you have to create a username in AD that is the MAC address and also make the password the MAC address.

I don't personally like how NPS does it this way, as anyone can now try logging into AD using the MAC address of a device on your network.

Only NPS (to my knowledge) does it this way - but it is "free" (as in, included in your Windows Server licence).  You get what you pay for ...

 

It is more common with wired NPS deployments to use PEAP+MSCHAPv2 authentication.  This lets you authenticate all AD members based on either (or both) of the computer AD account and the user AD account.  You can also do EAP-TLS authentication, where you authenticate using a certificate (actually there are lots of options - these are my favourite two).

If you want to authenticate things like printers, you are more likely to get EAP-TLS working.

Note that you can have both methods enabled at the same time.

 

 

Meraki switches do support "port security" with a static MAC whitelist.  This doesn't use RADIUS, or anything external.

https://documentation.meraki.com/MS/Port_and_VLAN_Configuration/Switch_Ports#Port_configuration 

 

 

You can also mix both approaches.  Use port security with a static MAC whitelist for switch ports used with printers and the like, and wired 802.1x with Microsoft NPS for "windows" switch ports.

Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.