Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

MR70 - Outdoor Install: How do you prevent Physical Access?

TDjohn
Conversationalist
‎Jan 28 2021 2:43 AM
‎Jan 28 2021 2:43 AM

MR70 - Outdoor Install: How do you prevent Physical Access?

Hi

 

We are trying out a MR70 to extend coverage to external buildings. This is connected to a Meraki POE Switch. Can anyone point out how you prevent someone taking it off the wall and plugging the Ethernet into a laptop and gaining network access. I am sure there must be a setting to prevent anything other than the MR70 from using the particular port on the switch but I can't work it out.

 

Cheers

 

Tom

Subscribe
6 Replies 6
cmr
Kind of a big deal
Kind of a big deal
‎Jan 28 2021 7:43 AM
‎Jan 28 2021 7:43 AM

If it is an access port then you can set it to Sticky MAC whitelist and limit to 1, just the AP.

 

cmr_0-1611848429890.png

However your AP will not be able to have any clients other than those on SSIDs using Meraki DHCP that are NATed by the AP.

 

If you need trunk mode then there is a new feature where the Meraki AP configures the switchport, so you could leave the initial config on a VLAN with no access and then only a Meraki AP would get connectivity.  However you will need a newer AP. Edit, sorry the MR70 is current so this may be an option for you.

 

I don't think there is a solution for exactly what you have other than locking the AP in a plastic box with the datapoint.

Subscribe
In response to cmr
TDjohn
Conversationalist
‎Jan 28 2021 8:03 AM
‎Jan 28 2021 8:03 AM

OK - that's interesting, thanks. I really thought it would be a common requirement when these things were put outside as you are effectively dangling a network cable outside for anyone to just plug into - worse than an open SSID.

0 Kudos
Subscribe
In response to TDjohn
cmr
Kind of a big deal
Kind of a big deal
‎Jan 28 2021 8:07 AM
‎Jan 28 2021 8:07 AM

With the indoor APs you can lock the AP to the mounting plate so the end of the data cable is inaccessible, especially if you route it through the plate, not sure on the external models if you can do this as we only have one and it was installed years ago!

0 Kudos
Subscribe
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jan 28 2021 1:45 PM
‎Jan 28 2021 1:45 PM

If you are worried about someone taking it off the wall then you are addressing a difficult security issue, because you don't have physical security.

 

You could consider getting a toughened plastic ABS box (such as an electrical cabinet) and putting everything inside of that.  Put a "Danger Live wires" sticker on the outside.

ABS plastic electrical boxes are easy to get hold of and relatively cheap.

 

The "Sticky mac" idea - you'll need to be careful using that approach.  You would be restricted to using NAT mode.  If you use bridge mode than the switch sees the MAC address of all the wireless clients - and they would get blocked.

 

 

There is a feature coming up (don't know when or what models will support it) where you'll be able to say this switch port can only have a Meraki AP (or MX) plugged into it.  The switch authenticates the Meraki device using a cryptographic method.

Subscribe
BeckerIT
Here to help
‎Mar 11 2021 5:31 AM
‎Mar 11 2021 5:31 AM

One thing you could do (depending on how its mounted, would be to run the cabling inside the structure the AP is being mounted to, and put just enough slack outside to physically connect to the AP itself and enclose the whole thing (in some type of lockable NEMA rated outdoor enclosure).

0 Kudos
Subscribe
In response to BeckerIT
jmoake
Getting noticed
‎Mar 12 2021 1:01 PM
‎Mar 12 2021 1:01 PM

At the risk of being too simplistic,  can you mount it higher out of reach?  If you mount in an enclosure, make sure it isn't metal.  Any security cameras in the area?  

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.