Block mac-address in SSID

SOLVED
Nedy
Getting noticed

Block mac-address in SSID

Hello! I need to block one device on my Wireless Lan. I mean, I need this device not connect to my SSID. Can I do this? Can I to block the mac-address of this device? Thank you!

1 ACCEPTED SOLUTION
BrechtSchamp
Kind of a big deal

Yes, go to the clients list (Network-Wide > Clients), find the device and click on it. The scroll down and change the policy. Set the access to your ssid to blocked.

 

Mind you that there's a limit to the number of clients which you can block this way (3000).

 

2019-03-02 18_49_20-Greenshot.png

 

If the client has not yet connected to the network you can also do it on beforehand from the clients list.

2019-03-02 18_52_04-Greenshot.png

View solution in original post

15 REPLIES 15
BrechtSchamp
Kind of a big deal

Yes, go to the clients list (Network-Wide > Clients), find the device and click on it. The scroll down and change the policy. Set the access to your ssid to blocked.

 

Mind you that there's a limit to the number of clients which you can block this way (3000).

 

2019-03-02 18_49_20-Greenshot.png

 

If the client has not yet connected to the network you can also do it on beforehand from the clients list.

2019-03-02 18_52_04-Greenshot.png

Sorry! I forgot say Thank you! Just today I tried this configuration in the office and it worked perfectly. Thank you!
BrechtSchamp
Kind of a big deal

Good to hear. Thanks for the thanks.

Works great until they start spoofing their MAC address

I am actually looking for any possible solution to this. Currently running into this exact problem, the solution is useless once they start spoofing the mac address of the IPhone. 

Bruce
Kind of a big deal

Yep, with the randomised MAC addresses that are used by virtually every OS now, this is hard to implement. You have to flip it on its head and ensure you are only permitting the devices you want to access your network, and block everything else.

Apple Devices use the following:

  • x2:xx:xx:xx:xx:xx
  • x6:xx:xx:xx:xx:xx
  • xA:xx:xx:xx:xx:xx
  • xE:xx:xx:xx:xx:xx

Anyway to block these specifically?

DUDE thats not specific to apple devices. Those second  charcters A, E, 2 or 6 indicates an LAMAC, locally administered MAC..

 

ANYONE can use those Windows Apples, Androids Linux.. wired or wireless makes no difference

Thanks for the 2 cents. That doesn’t actually provide a useful solution however

Your solution is RADIUS EAP-TLS or RADIUS anything would be a good start You will need group policies via Intune to stop windows clients from using LMACS  not sure if JAMF allows for this or not for your macs. Also you will want some sort of MDM  solution for mobile devices anything else will be highly manual and inherently insecure. If your guest network lock it down with an appropriate solution

 

Whatever MAC filter you set can be bypassed by anyone with access to Google and a few keystrokes... 

 

If your issue is you are running  low on IP space because of LMACS increase DHCP pool size and decrease lease time.  That is at least 2000 cents worth. by my count you now owe me $20.02.

Hi Bruce/all,

Just seen this post.. this is exactly what I am trying but reverse of this post.

Please could I have some guidance.

Looking have a SSID that is open but blocked but default and I allow specific Macs addresses through.  I see the client add them to policy group.  But where do I add the default block?? Firewall settings??  Client add bypasses the firewall rules.. which means to can get onto my local network??

Any help appreciated

 

Jas

I believe the proper way to do this would be to put a splash page login on the SSID, and give your allowed clients a policy that allows them to bypass the splash page.

Can we do this by using API?

Is that block limit of 3000 per network, per organization, or something else?

UKDanJones
Building a reputation

MAC filtering is not an effective solution. My question would be why do you want to block this device?

Please feel free to hit that kudos button
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels