cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Possible to use MAC address filtering and RADIUS PEAP at the same time?

Highlighted
Just browsing

Possible to use MAC address filtering and RADIUS PEAP at the same time?

Greetings All,

 

I have an MR53 configured to authenticate users via their Windows domain credentials.  NPS is installed on a Server 2008R2 domain controller.

 

Is it possible to configure an SSID to require both domain credentials AND a certain whitelisted MAC address in order to gain access?  For example, allow the CEO's laptop, iPad, and iPhone, but not a regular employee's laptop.

 

Would it need to be configured via the Meraki portal or exclusively on the Windows NPS side?

13 REPLIES 13
Highlighted
Kind of a big deal

Re: Possible to use MAC address filtering and RADIUS PEAP at the same time?

For this to work, you'd definitely need it to happen on the NPS side. On the Meraki side, an SSID can be configured for MAC auth OR your own RADIUS. I'm not sure this is possible with NPS either, but any conditions you set on the policy need to be true. I believe NPS uses an "AND" type operator for the conditions but I'm not positive about this. 

 

Here's some discussion on trying to do MAC auth with NPS on 2012 R2 - https://social.technet.microsoft.com/Forums/lync/en-US/0a1a6e1a-de09-4937-98d4-04e5db0a8f7f/how-to-d...

MRCUR | CMNO #12
Head in the Cloud

Re: Possible to use MAC address filtering and RADIUS PEAP at the same time?

To my knowledge, you're unable to perform MAB as well as Radius authentication at this stage.

Eliot F | Simplifying IT with Cloud Solutions
Found this helpful? Give me some Kudos! (click on the little up-arrow below)
Highlighted
Kind of a big deal

Re: Possible to use MAC address filtering and RADIUS PEAP at the same time?

No.

Highlighted
Kind of a big deal

Re: Possible to use MAC address filtering and RADIUS PEAP at the same time?

Any reason why the iPhone, iPad etc can't authenticated?  I use this configuration a lot.  By using AD authentication for everything you buy your self a lot more protection with staff coming, going and having password rotations happening.

Highlighted
Just browsing

Re: Possible to use MAC address filtering and RADIUS PEAP at the same time?

AD authentication is fine, but we don't want employees to use their same domain credentials to connect their phones, tablets, and other 3rd party devices without our knowledge.  So I suppose we can lock it down to only Windows domain computers (but what about MacBooks?) or MAC address filtering.

Highlighted
Kind of a big deal

Re: Possible to use MAC address filtering and RADIUS PEAP at the same time?

Well, it will be with your knowledge.  They are using credentials supplied by your systems, and you can see them in the Dashboard.  I think you'll find employees will put two and two together and realise if they are putting in their own AD credentials that everything will be highly trackable.  It would be like robbing a bank using a car registered in your own name.

 

Other options:

* Change to using certificate based authentication

* Use Meraki MDM and setup a more robust BYOD environment (note MDM can also deploy certificates without you having to setup any certificate inafrstructure)

* Use Cisco ISE.

 

Highlighted
Kind of a big deal

Re: Possible to use MAC address filtering and RADIUS PEAP at the same time?


@PhilipDAth wrote:

 

* Change to using certificate based authentication

* Use Meraki MDM and setup a more robust BYOD environment (note MDM can also deploy certificates without you having to setup any certificate inafrstructure)

* Use Cisco ISE.


AS @PhilipDAth says, use certificate based authentication. Kids learn how to change MAC addresses before they are in their teens.

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
Highlighted
Just browsing

Re: Possible to use MAC address filtering and RADIUS PEAP at the same time?

Just had a quick thought: what if I were to keep RADIUS username/password authentication, but set a layer 3 firewall rule to deny all traffic to the LAN, then use whitelists for specific devices to bypass said rule?

Highlighted
Kind of a big deal

Re: Possible to use MAC address filtering and RADIUS PEAP at the same time?


@Techie wrote:

Just had a quick thought: what if I were to keep RADIUS username/password authentication, but set a layer 3 firewall rule to deny all traffic to the LAN, then use whitelists for specific devices to bypass said rule?


Why not use certificates?

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
Highlighted
Just browsing

Re: Possible to use MAC address filtering and RADIUS PEAP at the same time?

I'm not opposed to it.  Can you combine both certificate plus domain credential authentication?

Highlighted
Kind of a big deal

Re: Possible to use MAC address filtering and RADIUS PEAP at the same time?


@Techie wrote:

I'm not opposed to it.  Can you combine both certificate plus domain credential authentication?


You will probably find this Microsoft Tech Note helpful

 

Certificates always appear more complicated than they are, but it is worth persevering, and using the Meraki tools for controlling devices, System Manager.

 

 

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
Highlighted
New here

Re: Possible to use MAC address filtering and RADIUS PEAP at the same time?

If a machine is not talking 802.1x the how can you use certificate? This is for devices like chromecast, amazon sticks etc.

 Also Meraki is not support both MAB and 802.1x with same SSID.

Highlighted
Kind of a big deal

Re: Possible to use MAC address filtering and RADIUS PEAP at the same time?


@capricorn80 wrote:

If a machine is not talking 802.1x the how can you use certificate? This is for devices like chromecast, amazon sticks etc.

 Also Meraki is not support both MAB and 802.1x with same SSID.


MAC auth can work well for those types of devices if you don't want to do PEAP with them. 

MRCUR | CMNO #12
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.