MR 52/53 access points - limit user devices - or BYOD limit and management

MST
Here to help

MR 52/53 access points - limit user devices - or BYOD limit and management

Experts,

 

I am new to Meraki Access points. We plan to purchase 80 MR52 but I have a dilemma. 

 

We would use PPKS for school owned devices like Chrombooks, IPADS, MAC Book Air Plays.

 

We would use radius SSID using Windows NPS for teachers authentication. The only question is how to limit devices amount per user? Also what about if a teacher wants to use their credentials on a cell phone? How to approach that?

Would be nice to use 802.1X - radius (NPS)authentication for both MAC BOOK pros (school owned) and other BYOD like teachers cell phones, ipads. We dont have to use radius, we can use AD for authentication but how we can approach teacher own devices? 

 

Any idea? 

5 REPLIES 5
jdsilva
Kind of a big deal

Do you mean PPSK? If so PPSK is an Aerohive thing. You don't have that option on Meraki.

 

For simultaneous logins, you can control that via NPS with RADIUS Accounting.  I'll see if I can find an example...

Thank you jdsilva,  

 

In aerohive there is SSID and user profile so I can limit to one SSID and multiple user authentication. Is there something similar with Meraki? 

PhilipDAth
Kind of a big deal
Kind of a big deal

Because you are using RADIUS to authenticate users, you need to do it there.  You need to match on the Called-Station-ID attribute.  This is a reference article:

https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_RADIUS_Authentication_...

 

NolanHerring
Kind of a big deal

There is an option in the wireless access control settings where you can enable group policies by device type. So for example, you can block Android phones from connecting to that specific SSID if you wanted to.

I will warn you that this can be problematic with apple devices as they occasionally have false positives where it thinks an apple macbook pro is an iphone, and blocks it. which requires you to set the policy back to normal.

If you use EAP-TLS for the SSID for school owned devices, then you wouldn't have to worry about AD credentials and false positives. BYOD devices simply won't be able to connect as they won't have the certificate. However certs can also be a hassle to deal with (at the start anyhow).

If your radius is configured for AD credentials vs machine authentication, then a teacher could use their AD credentials on their personal phone and connect. If you set it to machine authentication then the computers that are in your AD would be the only ones that 'should' be able to connect.

Using a PSK for BYOD stuff turns into a monster after a while. Especially if your cycling the password every now and then. In reality its really not going to be 'secure' in the sense that it would probably take little to no effort for someone on school grounds to obtain whatever the password is via social engineering, reading the paper taped to the wall that tells everyone what the password is etc. This is something you'll need to decide of course, how difficult/easy you want it to be for end users.

Easier solution for BYOD gear is to just create a guest SSID and leave it open. Lock it down of course so there is no L2 or L3 peer to peer communications. No LAN access. Strictly internet only. This makes it super easy for anyone to connect and you don't have to worry about it anymore.
Nolan Herring | nolanwifi.com
TwitterLinkedIn
PhilipDAth
Kind of a big deal
Kind of a big deal

For school owned devices you should considuer using Meraki Systems Manager.  This puts a certificate onto each device, and then it authenticates to the WiFi network using the certificate.

 

Have a read over this:

https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_EAP-TLS_Wireless_Authe...

 

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels