Is it possible to allow devices to connect on a SSID over RADIUS based on their MAC address?

Danut
Getting noticed

Is it possible to allow devices to connect on a SSID over RADIUS based on their MAC address?

Hello everyone,

I want to implement the RADIUS protocol over my WiFi network as part of AAA framework. The radius servers are deployed, as well as a testing SSID. The authentication on WiFi is based on EAP-TTLS-GTC framework with an LDAP database as a backend, and everything works fine and smooth for testing.

The problem I have is with the devices that do not use a user from the database for authentication, such as printers and TVs. It is possible to bypass the EAP authentication and allow these devices to connect based on their MAC address only?

 

I have tried to create a group policy which bypass the splash page, but the devices in that group still require EAP authentication.

Thank you in advance!

4 REPLIES 4
BrechtSchamp
Kind of a big deal

There would be two possibilities.

  • Or you add a separate SSID for your non dot1X devices.
  • Or you enable the MAC authentication bypass feature of your RADIUS server. The RADIUS server receives the client's MAC address from the AP, so it could let those devices in without needing to go through the auth process.

    Note that this can be a security issue as anyone can spoof a MAC-address. So you should make sure that you limit the access of those devices in some way, either by applying a group policy to them, or by assigning them a specific VLAN.

Thank you for your answer!

After thinking more about my question, I have realised that I may have thought of the problem less than I should.

As the SSID is configured to be secured with WPA Enterprise, all the devices will expect to login using authentication credentials. Thant's how the WPA Enterprise works by it's very nature.

Creating a separate SSID could solve this problem easily, but I do not want to do that since there are a lot of interferences already. I think the best solution for my case will be to create users for devices. This will also enable device monitoring for suspicious activity.

PhilipDAth
Kind of a big deal
Kind of a big deal

With a recent client I did we installed certificates onto all the printers so they could authenticate just like a user.  The client understands they can only buy printers that support 802.1x as a result - but it gives the best security model.  No exceptions.

 

In their case they also had TV's, but I put these onto a seperate network that has no access to anything internal.

Thank you for your answer!

Indeed the authentication with certification on both server and client using the EAP-TLS framework is the best security model. Unfortunately is the hardest to manage and it is not scaling well with my network.

As a temporary solution I will create users for all the devices, which will allow me to monitor them for suspicious activity easily.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels