cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

MAC filtering on wireless

SOLVED
Highlighted
Getting noticed

MAC filtering on wireless

I am building out a new network to replace an existing wireless network that used MAC filtering for clients. The old setup consisted of a pre-shared key and MAC list.

 

I see that in dashboard, you can go to organization-->clients and add a client to the network, but after I put in the MAC and a name, and hit save, it simply says "changes saved" --I don't see that MAC listed anywhere. Will it not show up until the client actually connects?

 

Also, to do MAC filtering do I have to use a Radius server? Or can I use the old pre-shared key with MAC filtering?

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Kind of a big deal

Re: MAC filtering on wireless

MAC addresses you add as clients don't show up until the client has connected, and then you have to display the list of clients for the time period the client would have been connected in.

 

Within the scope of the question you have asked, @kYutobi  has given an excellent answer.  Basically create a layer 3 firewall rule blocking all traffic, and then create a group policy and attach it to each individual client that overrides the firewall rules allowing the traffic for that one client.

 

HOWEVER, this is not a modern way of doing things.  You should really consider using something like WPA2-Enterprise mode or at a minimum WPA2-PSK (with this last option being very simple to implement).

You could also consider using the "Trusted Access" feature of Systems Manager (although this does require you to buy Systems Manager licences).  This uses certificate based authentication - but frees you from having to manage the certificates.

https://documentation.meraki.com/zGeneral_Administration/Cross-Platform_Content/Trusted_Access_for_S... 

"Trusted Access" is still a little "green" at the moment.  Apple support is good.  Android and Windows 10 support is weak to poor - but give it maybe another 3 months and that should be sorted out.

View solution in original post

7 REPLIES 7
Highlighted
Kind of a big deal

Re: MAC filtering on wireless

You can create a "group policy" that way you have a list of MAC addresses you import plus make your own rules and blocks for that policy. You won't need a RADIUS server. 

 

kYutobi_0-1580144070420.png

 

Highlighted
Getting noticed

Re: MAC filtering on wireless

I see the group policy creation screen, but don't see anywhere to add a list of MAC addresses 

Highlighted
Kind of a big deal

Re: MAC filtering on wireless

You add them as if you were adding a wireless client. Select the dropdown and assign policy.

 

kYutobi_0-1580146346206.png

 

Highlighted
Kind of a big deal

Re: MAC filtering on wireless

MAC addresses you add as clients don't show up until the client has connected, and then you have to display the list of clients for the time period the client would have been connected in.

 

Within the scope of the question you have asked, @kYutobi  has given an excellent answer.  Basically create a layer 3 firewall rule blocking all traffic, and then create a group policy and attach it to each individual client that overrides the firewall rules allowing the traffic for that one client.

 

HOWEVER, this is not a modern way of doing things.  You should really consider using something like WPA2-Enterprise mode or at a minimum WPA2-PSK (with this last option being very simple to implement).

You could also consider using the "Trusted Access" feature of Systems Manager (although this does require you to buy Systems Manager licences).  This uses certificate based authentication - but frees you from having to manage the certificates.

https://documentation.meraki.com/zGeneral_Administration/Cross-Platform_Content/Trusted_Access_for_S... 

"Trusted Access" is still a little "green" at the moment.  Apple support is good.  Android and Windows 10 support is weak to poor - but give it maybe another 3 months and that should be sorted out.

View solution in original post

Highlighted
Getting noticed

Re: MAC filtering on wireless

I have the SSID and MAC working (assigned a policy to my laptop), but I am a little unclear on the firewall blocking

 

so I should go into the SSID and select layer 3 firewall rules and set the default action to block any to local LAN (or any) and simply leave it as that?

 

wouldn't this block access to everything regardless of allowed MACs? Or does the individual group policy override that?

Highlighted
Kind of a big deal

Re: MAC filtering on wireless

@Silas1066 The group policy will override it but by default it will block everything else that's doesn't have one.

Highlighted
Getting noticed

Re: MAC filtering on wireless

yes, it looks like it is working. Unless the client is listed with a MAC association and policy, they get "packet filtered" errors when trying to do anything on the network--so it looks like they are blocked.

 

thanks for your help. This was a bit counter-intuitive, but now it makes sense 

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.