Possible to use MAC address filtering and RADIUS PEAP at the same time?

Techie
Comes here often

Possible to use MAC address filtering and RADIUS PEAP at the same time?

Greetings All,

 

I have an MR53 configured to authenticate users via their Windows domain credentials.  NPS is installed on a Server 2008R2 domain controller.

 

Is it possible to configure an SSID to require both domain credentials AND a certain whitelisted MAC address in order to gain access?  For example, allow the CEO's laptop, iPad, and iPhone, but not a regular employee's laptop.

 

Would it need to be configured via the Meraki portal or exclusively on the Windows NPS side?

13 REPLIES 13
MRCUR
Kind of a big deal

For this to work, you'd definitely need it to happen on the NPS side. On the Meraki side, an SSID can be configured for MAC auth OR your own RADIUS. I'm not sure this is possible with NPS either, but any conditions you set on the policy need to be true. I believe NPS uses an "AND" type operator for the conditions but I'm not positive about this. 

 

Here's some discussion on trying to do MAC auth with NPS on 2012 R2 - https://social.technet.microsoft.com/Forums/lync/en-US/0a1a6e1a-de09-4937-98d4-04e5db0a8f7f/how-to-d...

MRCUR | CMNO #12
MilesMeraki
Head in the Cloud

To my knowledge, you're unable to perform MAB as well as Radius authentication at this stage.

Eliot F | Simplifying IT with Cloud Solutions
Found this helpful? Give me some Kudos! (click on the little up-arrow below)
PhilipDAth
Kind of a big deal
Kind of a big deal

No.

PhilipDAth
Kind of a big deal
Kind of a big deal

Any reason why the iPhone, iPad etc can't authenticated?  I use this configuration a lot.  By using AD authentication for everything you buy your self a lot more protection with staff coming, going and having password rotations happening.

AD authentication is fine, but we don't want employees to use their same domain credentials to connect their phones, tablets, and other 3rd party devices without our knowledge.  So I suppose we can lock it down to only Windows domain computers (but what about MacBooks?) or MAC address filtering.

PhilipDAth
Kind of a big deal
Kind of a big deal

Well, it will be with your knowledge.  They are using credentials supplied by your systems, and you can see them in the Dashboard.  I think you'll find employees will put two and two together and realise if they are putting in their own AD credentials that everything will be highly trackable.  It would be like robbing a bank using a car registered in your own name.

 

Other options:

* Change to using certificate based authentication

* Use Meraki MDM and setup a more robust BYOD environment (note MDM can also deploy certificates without you having to setup any certificate inafrstructure)

* Use Cisco ISE.

 


@PhilipDAth wrote:

 

* Change to using certificate based authentication

* Use Meraki MDM and setup a more robust BYOD environment (note MDM can also deploy certificates without you having to setup any certificate inafrstructure)

* Use Cisco ISE.


AS @PhilipDAth says, use certificate based authentication. Kids learn how to change MAC addresses before they are in their teens.

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel

Just had a quick thought: what if I were to keep RADIUS username/password authentication, but set a layer 3 firewall rule to deny all traffic to the LAN, then use whitelists for specific devices to bypass said rule?


@Techie wrote:

Just had a quick thought: what if I were to keep RADIUS username/password authentication, but set a layer 3 firewall rule to deny all traffic to the LAN, then use whitelists for specific devices to bypass said rule?


Why not use certificates?

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel

I'm not opposed to it.  Can you combine both certificate plus domain credential authentication?


@Techie wrote:

I'm not opposed to it.  Can you combine both certificate plus domain credential authentication?


You will probably find this Microsoft Tech Note helpful

 

Certificates always appear more complicated than they are, but it is worth persevering, and using the Meraki tools for controlling devices, System Manager.

 

 

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel

If a machine is not talking 802.1x the how can you use certificate? This is for devices like chromecast, amazon sticks etc.

 Also Meraki is not support both MAB and 802.1x with same SSID.

MRCUR
Kind of a big deal


@capricorn80 wrote:

If a machine is not talking 802.1x the how can you use certificate? This is for devices like chromecast, amazon sticks etc.

 Also Meraki is not support both MAB and 802.1x with same SSID.


MAC auth can work well for those types of devices if you don't want to do PEAP with them. 

MRCUR | CMNO #12
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels