cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

WPA2 PSK with MAC Address Filter

SOLVED
Highlighted
Here to help

WPA2 PSK with MAC Address Filter

I have read through the Meraki's AP configuration guide about MAC address filtering, and see that it only support via "Association requirements" with "no encryption."

 

In non-Meraki, Cisco-based Wi-Fi infrastructure, you can use both WPA2 encrypted data and MAC Address filtering.

 

Does Meraki support Wi-Fi encrypted data configuration and MAC Address filtering?

 

Thanks

 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Head in the Cloud

Re: WPA2 PSK with MAC Address Filter

The „fine manual“ is correct (as almost always): you can have PSK or MAC filtering in Meraki world. Not both.

View solution in original post

4 REPLIES 4
Highlighted
Head in the Cloud

Re: WPA2 PSK with MAC Address Filter

The „fine manual“ is correct (as almost always): you can have PSK or MAC filtering in Meraki world. Not both.

View solution in original post

Highlighted
Conversationalist

Re: WPA2 PSK with MAC Address Filter

Meraki currently has MAC filtering through Radius, however there is another method and it is to create a group policy in which you deny everything and to the equipment that you want that if they browse add them to the Full access policy

Highlighted
Here to help

Re: WPA2 PSK with MAC Address Filter

I haven't been able to find documentation on doing MAC address filtering with wifi over radius.  Do you happen to have any documentation or guidance?

Highlighted
Getting noticed

Re: WPA2 PSK with MAC Address Filter

Here's the proper solution! Meraki has MAC address filtering "built-in" because Policy settings are so easy. Meraki Policy settings are based on the MAC address. A lot of customers have this question. 

 

There are multiple ways to use a client MAC address to authorize access on a PSK encrypted network. I'll order them easy to hard to implement:

 

Solution 1. Enable PSK and Click-through Splash and setup a Custom Hosted Splash page that authorizes based on MAC address. 

https://documentation.meraki.com/MR/MR_Splash_Page/Using_a_Sign-on_Splash_Page_to_Restrict_Wireless_...

 

Solution 2. Enable PSK and Click-through Splash and setup a Custom Hosted Splash page that authorizes based on MAC address. You should consider SplashAccess.com instead of building it yourself.

 

Solution 3. Enable PSK and add a firewall rule for the SSID blocking all access. Then use Meraki's policy settings to apply a whitelist policy or apply a Group Policy but just for devices requiring access.

 

Solutions requiring a RADIUS Server:

 

Solution 4. Enable PSK and Sign-on with my RADIUS server and configure your RADIUS server to authorizes based on a MAC address. Most RADIUS servers can do this. 

 

Solution 5. Enable the new feature Identity PSK with RADIUS and configure your RADIUS server to allow specific MAC addresses.

https://documentation.meraki.com/MR/Encryption_and_Authentication/IPSK_with_RADIUS_Authentication

 

While the previous post accepted as a solution is still sort of correct, you can't choose PSK and "MAC-based auth" at the same time. But MAC based auth / MAB is not the only type of MAC based authentication/authorization. If you DON'T need a PSK, and really want "MAC based auth" you cannot use PSK. This is primarily used with Cisco ISE deployments for guest WiFi. However, I much prefer the built-in Splash page.

https://documentation.meraki.com/MR/Encryption_and_Authentication/Enabling_MAC_based_access_control_...

Colin Lowenberg
wireless engineer and startup founder, formerly known as "the API guy", now I run a Furapi, the therapy dog service, and Lowenberg Labs, an IT consulting company.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.