Meraki

Community

MR authentication with MAC

Solved
framosCTLink
Here to help
‎Aug 5 2019 6:47 PM
‎Aug 5 2019 6:47 PM

MR authentication with MAC

Hi I have this client that requires heavy authentication on wireless devices since they have issues of employees giving out password of SSID to unauthorized clients.

 

Im never new to MX but only more than a year to MR. Upon deploying MR33, I encountered issue(see image below) on MAC based access.

 

-Does this require server or certain configuration to MX?

-Do I need a Radius server?

 

further info:

-MX64 is in use

-2units MR33

-client doesn't have Active Directory

1.JPG2.JPG

Franco Ramos
0 Kudos
1 Accepted Solution
In response to framosCTLink
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Aug 5 2019 8:39 PM
‎Aug 5 2019 8:39 PM

>a radius requires a server or AD server

 

Correct - it requires a server of some kind.  FreeRadius is pretty good - and is free - but still requires a server to run on.

 

At 50 users, you could use WPA2-Enterprise authentication with Meraki hosted users.

https://documentation.meraki.com/MR/Encryption_and_Authentication/Meraki_Cloud_Hosted_Authentication

This is a very good security solution.

View solution in original post

0 Kudos
8 Replies 8
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Aug 5 2019 6:53 PM
‎Aug 5 2019 6:53 PM

MAC based authentication is used in conjunction with a RADIUS server.

https://documentation.meraki.com/MR/Encryption_and_Authentication/Enabling_MAC_based_access_control_...

I didn't realise you can't use a sign on page as well - but it shows that in your screen shot.

 

If is more common to use WPA2-Enterprise mode.  Typically companies authenticate this against Active Directory using the Microsoft NPS service.  You should be looking at this option.

https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_RADIUS_Authentication_...

You can also use WPA2-Enterprise mode with Meraki Authentication, were you create accounts for users in the portal, but you would only want to do this if you had a small number of users.

 

If their is no centralised authentication like Active Directory you can also use Meraki Systems Manager using the Sentry option where it deploys certificates onto the devices.  This can have a whole lot of pain, so your specific environment would need further consideration.

https://documentation.meraki.com/SM/Deployment_Guides/Systems_Manager_Sentry_Overview

In response to PhilipDAth
framosCTLink
Here to help
‎Aug 5 2019 8:30 PM
‎Aug 5 2019 8:30 PM

Hi @PhilipDAth 

 

thank you for the response. please correct me if Im wrong, based on the meraki documentation, a radius requires a server or AD server? absence of any server that can provide certain certificate for authentication will not make a radius server complete?

 

for Meraki System Manager, I doubt if the client would use it since its only SMB with less than 50 users. Budgetary concern too. 

Franco Ramos
0 Kudos
In response to framosCTLink
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Aug 5 2019 8:39 PM
‎Aug 5 2019 8:39 PM

>a radius requires a server or AD server

 

Correct - it requires a server of some kind.  FreeRadius is pretty good - and is free - but still requires a server to run on.

 

At 50 users, you could use WPA2-Enterprise authentication with Meraki hosted users.

https://documentation.meraki.com/MR/Encryption_and_Authentication/Meraki_Cloud_Hosted_Authentication

This is a very good security solution.

0 Kudos
In response to PhilipDAth
framosCTLink
Here to help
‎Aug 12 2019 7:23 PM
‎Aug 12 2019 7:23 PM

Hi @PhilipDAth 

 

one last clarification, if I setup the account per user, will the meraki require log-in once connected to any SSID of my MR and will not be able to use the network even if someone knew the password for any SSID?

Franco Ramos
0 Kudos
Kamome
Building a reputation
‎Aug 5 2019 7:30 PM
‎Aug 5 2019 7:30 PM

You can control MAC without RADIUS, but it's little complicated.

I'm using sign-on splash page with Meraki authentication. With this configuration, nobody can login to SSID because I didn't make any accounts for normal users(only network admin have Meraki account). And if I want to allow a client to use that SSID, I've added client's MAC as whitelisted client, so client can override SSID's authentication settings thus can use SSID. But if you use this method, you can add less than 2000 clients because of limitation of Meraki's whitelisted client count.
In response to Kamome
framosCTLink
Here to help
‎Aug 5 2019 8:55 PM
‎Aug 5 2019 8:55 PM

Hi @Kamome 

 

Thank you. so this mean I need to manually whitelist clients? would my existing Group Policies be affected? please enlighten me.

Franco Ramos
0 Kudos
In response to framosCTLink
BlakeRichardson
Kind of a big deal
Kind of a big deal
‎Aug 5 2019 8:59 PM
‎Aug 5 2019 8:59 PM

If you don't have an onsite server why not look at something like Jumpcloud?

In response to framosCTLink
Kamome
Building a reputation
‎Aug 5 2019 9:04 PM
‎Aug 5 2019 9:04 PM

There is built-in Whitelisted group and you can add client to it through Clients page.

 

https://documentation.meraki.com/MR/Group_Policies_and_Blacklisting/Blocking_and_Whitelisting_Client...

2019-08-06 13_01_41-Clients - Meraki Dashboard.png

 

If a client is whitelisted, it will ignore access controls, and always allow to connect network.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.