Block devices on WiFi

nst1
Building a reputation

Block devices on WiFi

 

I have 1 SSID Wifi_Mobile in this SSID I want only mobile devices to connect and I do not want any laptop to connect to the SSID.

 

How can I block the laptops?

11 REPLIES 11
NolanHerring
Kind of a big deal

Within access control settings you could setup group policy by device type and block the ones you don't want (Windows/Mac OSX).
 
324234234.JPG
 
Keep in mind this system is not perfect.
 
Otherwise, you could go into the client list, find any laptops, and change their policy from Normal to Blocked if you see them connect (which is after they connect of course).
Nolan Herring | nolanwifi.com
TwitterLinkedIn

There probably isn't really a clean way to do this, or a way that does not require you to step in every day. Usually its the opposite direction, where you only want laptops to connect and you don't want BYOD devices on the SSID. That is best fixed with EAP-TLS certificate based, or machine-based authentication against AD etc.

In your situation, if a phone can connect, a laptop is almost certainly also going to be able to, other than what I mentioned above in my first post.
Nolan Herring | nolanwifi.com
TwitterLinkedIn
nst1
Building a reputation


@NolanHerring
I've tried but a laptop can connect although I'm blocking them.
NolanHerring
Kind of a big deal

When you say you block them, you mean letting the policy do it (that might take a few minutes to kick in).

If you manually block a machine, it will connect but it should get a message saying it has been blocked etc.
Nolan Herring | nolanwifi.com
TwitterLinkedIn
nst1
Building a reputation

@ NolanHerring

I've let the policy do it, I've configured it for a couple of hours and I'm still trying but the result is that the laptop still manages to connect.
NolanHerring
Kind of a big deal

Connects and is able to browse, access internet etc.?

So keep in mind that the policy approach is not 100%. Sometimes a machine will still get by and it will never detect. I've seen this in the other direction where an iPhone jumps on the corp SSID (even though it should be blocked) and has access for hours/days. It 'usually' catches them though.
Nolan Herring | nolanwifi.com
TwitterLinkedIn
Gumby
Getting noticed

I could be way off the mark here but I have a feeling if the laptop had already connected prior to the policy being in place, it'll continue to connect.

 

The policy will only apply for new devices it hasn't seen before.

nst1
Building a reputation


@Gumby


ok, my computer always connects to this SSID but other computers if it blocks and another does not.

It seems that is how you comment.

Do you mean that only the policy will apply to the equipment that has never connected to that SSID ??? or that they have never connected to the Meraki equipment (that is, in another SSID or LAN) ???

Is there any way to delete my MAC from Meraki so that I can apply the policy ???

Well, even though I have deleted my laptop's Wi-Fi network, it still connects.
Cmiller
Building a reputation

This is the experience I've had
PhilipDAth
Kind of a big deal
Kind of a big deal

Note that "device type" detection is one when the client first makes an http request.  Until then it doesn't know what kind of device type it is.

 

The best and cleanest solution would be to use Meraki Systems Manager on the mobile devices, and then use "sentry" mode which deploys a certificate onto the device.  Only devices with the certificate can then attach.

https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_EAP-TLS_Wireless_Authe...

Bossnine
Building a reputation

I second what everyone is saying, especially the part about it not being foolproof.  I have a network specifically for BYOD devices so I put in a policy to disallow those devices on another specific network.  It worked 'mostly'; however, it would sometimes block iPads when I only wanted it to block iPhones. (even though they are two unique policies)

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels