MR authentication with MAC

SOLVED
framosCTLink
Here to help

MR authentication with MAC

Hi I have this client that requires heavy authentication on wireless devices since they have issues of employees giving out password of SSID to unauthorized clients.

 

Im never new to MX but only more than a year to MR. Upon deploying MR33, I encountered issue(see image below) on MAC based access.

 

-Does this require server or certain configuration to MX?

-Do I need a Radius server?

 

further info:

-MX64 is in use

-2units MR33

-client doesn't have Active Directory

1.JPG2.JPG

Franco Ramos
1 ACCEPTED SOLUTION

>a radius requires a server or AD server

 

Correct - it requires a server of some kind.  FreeRadius is pretty good - and is free - but still requires a server to run on.

 

At 50 users, you could use WPA2-Enterprise authentication with Meraki hosted users.

https://documentation.meraki.com/MR/Encryption_and_Authentication/Meraki_Cloud_Hosted_Authentication

This is a very good security solution.

View solution in original post

8 REPLIES 8
PhilipDAth
Kind of a big deal
Kind of a big deal

MAC based authentication is used in conjunction with a RADIUS server.

https://documentation.meraki.com/MR/Encryption_and_Authentication/Enabling_MAC_based_access_control_...

I didn't realise you can't use a sign on page as well - but it shows that in your screen shot.

 

If is more common to use WPA2-Enterprise mode.  Typically companies authenticate this against Active Directory using the Microsoft NPS service.  You should be looking at this option.

https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_RADIUS_Authentication_...

You can also use WPA2-Enterprise mode with Meraki Authentication, were you create accounts for users in the portal, but you would only want to do this if you had a small number of users.

 

If their is no centralised authentication like Active Directory you can also use Meraki Systems Manager using the Sentry option where it deploys certificates onto the devices.  This can have a whole lot of pain, so your specific environment would need further consideration.

https://documentation.meraki.com/SM/Deployment_Guides/Systems_Manager_Sentry_Overview

Hi @PhilipDAth 

 

thank you for the response. please correct me if Im wrong, based on the meraki documentation, a radius requires a server or AD server? absence of any server that can provide certain certificate for authentication will not make a radius server complete?

 

for Meraki System Manager, I doubt if the client would use it since its only SMB with less than 50 users. Budgetary concern too. 

Franco Ramos

>a radius requires a server or AD server

 

Correct - it requires a server of some kind.  FreeRadius is pretty good - and is free - but still requires a server to run on.

 

At 50 users, you could use WPA2-Enterprise authentication with Meraki hosted users.

https://documentation.meraki.com/MR/Encryption_and_Authentication/Meraki_Cloud_Hosted_Authentication

This is a very good security solution.

Hi @PhilipDAth 

 

one last clarification, if I setup the account per user, will the meraki require log-in once connected to any SSID of my MR and will not be able to use the network even if someone knew the password for any SSID?

Franco Ramos
Kamome
Building a reputation

You can control MAC without RADIUS, but it's little complicated.

I'm using sign-on splash page with Meraki authentication. With this configuration, nobody can login to SSID because I didn't make any accounts for normal users(only network admin have Meraki account). And if I want to allow a client to use that SSID, I've added client's MAC as whitelisted client, so client can override SSID's authentication settings thus can use SSID. But if you use this method, you can add less than 2000 clients because of limitation of Meraki's whitelisted client count.

Hi @Kamome 

 

Thank you. so this mean I need to manually whitelist clients? would my existing Group Policies be affected? please enlighten me.

Franco Ramos

If you don't have an onsite server why not look at something like Jumpcloud?

Kamome
Building a reputation

There is built-in Whitelisted group and you can add client to it through Clients page.

 

https://documentation.meraki.com/MR/Group_Policies_and_Blacklisting/Blocking_and_Whitelisting_Client...

2019-08-06 13_01_41-Clients - Meraki Dashboard.png

 

If a client is whitelisted, it will ignore access controls, and always allow to connect network.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels