Restrict access by PSK and MAC?

SOLVED
WarrenG
Getting noticed

Restrict access by PSK and MAC?

Is it possible to restrict access to a wireless network by requiring both a passphrase and the MAC address being whitelisted?

1 ACCEPTED SOLUTION

Accepted Solutions
PhilipDAth
Kind of a big deal

Re: Restrict access by PSK and MAC?

You could set the firewall rules to a default "deny any".  Then a user would only get access if they knew both the PSK and you whitelisted them to override the deny.

 

Could you instead use WPA2-Enterprise mode with Meraki authentication?  Then each device would need both a username and a password, and you can disable an individual device easily.

https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring__WPA2-Enterprise_with_... 

 

Another option is to use a unique PSK per device.

https://documentation.meraki.com/MR/Encryption_and_Authentication/IPSK_Authentication_without_RADIUS 

View solution in original post

10 REPLIES 10
Inderdeep
Kind of a big deal

Re: Restrict access by PSK and MAC?

@WarrenG : Check this out 

https://documentation.meraki.com/MR/Encryption_and_Authentication/Cloud_Hosted_Meraki_Authentication 

 

For MAC, Check this tread

https://community.meraki.com/t5/Wireless-LAN/MR-authentication-with-MAC/m-p/56629 

Regards
Inderdeep Singh
www.thenetworkdna.com ( Awarded by Cisco IT Blogs award 2020)
PhilipDAth
Kind of a big deal

Re: Restrict access by PSK and MAC?

You could set the firewall rules to a default "deny any".  Then a user would only get access if they knew both the PSK and you whitelisted them to override the deny.

 

Could you instead use WPA2-Enterprise mode with Meraki authentication?  Then each device would need both a username and a password, and you can disable an individual device easily.

https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring__WPA2-Enterprise_with_... 

 

Another option is to use a unique PSK per device.

https://documentation.meraki.com/MR/Encryption_and_Authentication/IPSK_Authentication_without_RADIUS 

View solution in original post

WarrenG
Getting noticed

Re: Restrict access by PSK and MAC?

It would seem like using a PSK together with MAC address whitelisting should be a pretty simple option. Why is it that while Meraki's interface is very simplified, you can never seem to do the simple things that you might need to do?

PhilipDAth
Kind of a big deal

Re: Restrict access by PSK and MAC?

Once you create the "deny any" rule (just one single rule), it's like 4 mouse clicks (just tried it) to whitelist a client from the client view.

 

I'm not sure how Meraki could make this simpler or easier.

DashboardDunce
Meraki Employee

Re: Restrict access by PSK and MAC?

Hey @WarrenG !

I've definitely encountered this before and as mentioned above you could leverage a firewall to do it like @PhilipDAth and or leverage @Inderdeep 's ideas as well!

A 3rd option... (because Meraki is SO flexible 😉 ) You can:
--> Create an SSID with PSK and enforce a group policy to be applied that has deny ANY ANY.
--> Under Network-Wide, Clients - Add a client by MAC address
    --> Specify a unique Group Policy that grants access to that client MAC either globally or PER-SSID

--> Sit back like a Dashboard DJ!

Hope that helps as well!

WarrenG
Getting noticed

Re: Restrict access by PSK and MAC?

Okay so I'm trying to track with you here. I create a deny rule on the particular SSID I need to lock down. How do you then whitelist a client from the client view?

PhilipDAth
Kind of a big deal

Re: Restrict access by PSK and MAC?

It's called "Allow" rather than "Whitelist".  You can do it in several places, but the client's view is an easy way to do it.

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Block_Listing_and_All... 

DashboardDunce
Meraki Employee

Re: Restrict access by PSK and MAC?

Within Wireless - Access Policy "Assign group policies by device type"... then select ALL the types and assign your PSK-ONLY-BLOCK-Group Policy 😉 

 

DashboardDunce_0-1626473949409.png

 

Then within Network-Wide clients page - Add client section to override and assign a group policy to actually allow things 😉 

DashboardDunce_1-1626474141973.png

 

 

WarrenG
Getting noticed

Re: Restrict access by PSK and MAC?

Okay thanks Philip, I'm going to play with this and see if I can test it successfully. Thanks again for the help.

WarrenG
Getting noticed

Re: Restrict access by PSK and MAC?

Thanks @DashboardDunce, I'm going to try Philips method first and will come back to this if I can't get that working. Thanks again!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.