Wireless Access Control

bluegreene
Here to help

Wireless Access Control

Is there a way to configure access to an SSID based not only on a PSK/User Credentials, but also limit access to certified devices? For example, staff can connect to the corporate SSID using their Active Directory credentials, but only on devices that have been whitelisted by IT with a client-side certificate or MAC address list?

 

If System Manager is a solution, are there alternatives like Windows NPS or FreeRADIUS?

 

Any walkthrough or how-to guides on how to set it up?

6 REPLIES 6
Brash
Kind of a big deal
Kind of a big deal

These are easily achievable with a RADIUS server such as the ones you mentioned.

There's a decent guide for configuring Meraki with Microsoft NPS. You can then alter the policies for what best works in your environment

https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_RADIUS_Authentication_...

alemabrahao
Kind of a big deal
Kind of a big deal

For using 802.1x based on the certificate the best option is using 802.1x with EAP-TLS:

 

https://documentation.meraki.com/MR/Encryption_and_Authentication/Creating_a_Policy_in_NPS_to_suppor...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

You can also use MAB:

 

https://documentation.meraki.com/MR/Encryption_and_Authentication/MAC-Based_Access_Control_Using_Mic...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

We'll save MAB as a last resort.  I am not a fan of the way Microsoft handles MAB authentication with NPS.  500+ additional AD accounts to manage would be a management overhead nightmare.  Pushing certificates to devices enrolled in our MDM is much more manageable.

 

Thanks!

We'll give this a try and report back.  Thanks!

We're still testing but this appears to be working.  Allowing domain joined machines to join.

 

How do we go about doing the same on iOS and iPadOS devices?  We currently use Intune as or MDM.

 

Thanks!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels