Meraki

Community

BYOD - Wireless

nst1
Building a reputation
yesterday
yesterday

BYOD - Wireless

Hello community,

 

Context: I have a Meraki wireless network integrated with an Active Directory, using 802.1x authentication. Employees connect to the wireless network using their domain username and password.

Employees connect a laptop and a cell phone provided by the company to this wireless network.

However, employees also connect their cell phones, tablets, or other personal devices to this 802.1x network. (For network security reasons, these devices should not be connected.)

 

I considered 802.1x + MAC filtering, but it's not an option due to the large number of MAC addresses.

 

Is there any way to prevent personal devices from connecting to the 802.1x network, or are there any other alternatives?

Labels:
0 Kudos
6 Replies 6
rhbirkelund
Kind of a big deal
Kind of a big deal
yesterday
yesterday

The only way to avoid personal devices connecting to a network with PEAP, is to not use PEAP for network authentication.

 


Managed devices should use EAP-TLS, with machine certificates issued from your CA.

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
In response to rhbirkelund
PhilipDAth
Kind of a big deal
Kind of a big deal
yesterday
yesterday

EAP-TLS is the best solution.

 

You can deploy a Microsoft CA server (included with Windows Server), create a group policy to automatically deploy certificates to AD members, and configure the WiFi to use those certificates.

Getting the certificates onto mobile devices using this solution is difficult; you need an MDM.  You could use a separate SSID for the mobile devices that only provides Internet access.

 

 

If you *really* want to stick with PEAP, you could create an AD group policy that allows only "machine" authentication to the SSID.  Then tell NPS to only allow "Domain Computers".

You could authenticate the mobile devices onto a separate SSID that only provides Internet access, which allows AD username and password.

You could also use NPS to push a VLAN tag.  "Domain Computers" go onto one [internal] VLAN, "Domain Users" go into another VLAN (with Internet only access).

BlakeRichardson
Kind of a big deal
Kind of a big deal
yesterday
yesterday

What I would do is create a group policy within your Meraki dashboard for company owned devices. Then import the device MAC and assign it to the group policy. Have everything else outside of that policy be put onto a guest VLAN. 

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
In response to BlakeRichardson
nst1
Building a reputation
yesterday
yesterday

That's sound good, but i need avoid manage MAC address, i appreciate you post.

0 Kudos
alemabrahao
Kind of a big deal
Kind of a big deal
yesterday
yesterday

You can also use a MDM solution like Microsoft Intne.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Brash
Kind of a big deal
Kind of a big deal
yesterday
yesterday

As stated above, the best approach is to use EAP-TLS and issue certificates to your corporate devices only.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
© 2026 Cisco Systems, Inc.