Meraki

Community

Block mac-address in SSID

Solved
Nedy
Getting noticed
‎Mar 2 2019 9:46 AM
‎Mar 2 2019 9:46 AM

Block mac-address in SSID

Hello! I need to block one device on my Wireless Lan. I mean, I need this device not connect to my SSID. Can I do this? Can I to block the mac-address of this device? Thank you!

0 Kudos
1 Accepted Solution
BrechtSchamp
Kind of a big deal
‎Mar 2 2019 9:57 AM
‎Mar 2 2019 9:57 AM

Yes, go to the clients list (Network-Wide > Clients), find the device and click on it. The scroll down and change the policy. Set the access to your ssid to blocked.

 

Mind you that there's a limit to the number of clients which you can block this way (3000).

 

2019-03-02 18_49_20-Greenshot.png

 

If the client has not yet connected to the network you can also do it on beforehand from the clients list.

2019-03-02 18_52_04-Greenshot.png

View solution in original post

15 Replies 15
BrechtSchamp
Kind of a big deal
‎Mar 2 2019 9:57 AM
‎Mar 2 2019 9:57 AM

Yes, go to the clients list (Network-Wide > Clients), find the device and click on it. The scroll down and change the policy. Set the access to your ssid to blocked.

 

Mind you that there's a limit to the number of clients which you can block this way (3000).

 

2019-03-02 18_49_20-Greenshot.png

 

If the client has not yet connected to the network you can also do it on beforehand from the clients list.

2019-03-02 18_52_04-Greenshot.png

In response to BrechtSchamp
Nedy
Getting noticed
‎Mar 4 2019 7:49 AM
‎Mar 4 2019 7:49 AM

Sorry! I forgot say Thank you! Just today I tried this configuration in the office and it worked perfectly. Thank you!
In response to Nedy
BrechtSchamp
Kind of a big deal
‎Mar 4 2019 8:06 AM
‎Mar 4 2019 8:06 AM

Good to hear. Thanks for the thanks.

0 Kudos
In response to Nedy
Nembrey3
Here to help
‎May 2 2019 10:29 AM
‎May 2 2019 10:29 AM

Works great until they start spoofing their MAC address

In response to Nembrey3
jjpathan
New here
‎Jan 11 2023 9:37 AM
‎Jan 11 2023 9:37 AM

I am actually looking for any possible solution to this. Currently running into this exact problem, the solution is useless once they start spoofing the mac address of the IPhone. 

0 Kudos
In response to jjpathan
Bruce
Kind of a big deal
‎Jan 11 2023 12:14 PM
‎Jan 11 2023 12:14 PM

Yep, with the randomised MAC addresses that are used by virtually every OS now, this is hard to implement. You have to flip it on its head and ensure you are only permitting the devices you want to access your network, and block everything else.

0 Kudos
In response to Bruce
AnthonyP
New here
‎Jan 27 2023 2:59 AM
‎Jan 27 2023 2:59 AM

Apple Devices use the following:

  • x2:xx:xx:xx:xx:xx
  • x6:xx:xx:xx:xx:xx
  • xA:xx:xx:xx:xx:xx
  • xE:xx:xx:xx:xx:xx

Anyway to block these specifically?

0 Kudos
In response to AnthonyP
TBHPTL
A model citizen
‎Sep 28 2023 2:47 PM
‎Sep 28 2023 2:47 PM

DUDE thats not specific to apple devices. Those second  charcters A, E, 2 or 6 indicates an LAMAC, locally administered MAC..

 

ANYONE can use those Windows Apples, Androids Linux.. wired or wireless makes no difference

0 Kudos
In response to TBHPTL
AnthonyP
New here
‎Sep 28 2023 11:22 PM
‎Sep 28 2023 11:22 PM

Thanks for the 2 cents. That doesn’t actually provide a useful solution however

0 Kudos
In response to AnthonyP
TBHPTL
A model citizen
‎Sep 29 2023 9:53 AM
‎Sep 29 2023 9:53 AM

Your solution is RADIUS EAP-TLS or RADIUS anything would be a good start You will need group policies via Intune to stop windows clients from using LMACS  not sure if JAMF allows for this or not for your macs. Also you will want some sort of MDM  solution for mobile devices anything else will be highly manual and inherently insecure. If your guest network lock it down with an appropriate solution

 

Whatever MAC filter you set can be bypassed by anyone with access to Google and a few keystrokes... 

 

If your issue is you are running  low on IP space because of LMACS increase DHCP pool size and decrease lease time.  That is at least 2000 cents worth. by my count you now owe me $20.02.

0 Kudos
In response to Bruce
Jas1066
New here
‎Oct 7 2023 2:55 AM
‎Oct 7 2023 2:55 AM

Hi Bruce/all,

Just seen this post.. this is exactly what I am trying but reverse of this post.

Please could I have some guidance.

Looking have a SSID that is open but blocked but default and I allow specific Macs addresses through.  I see the client add them to policy group.  But where do I add the default block?? Firewall settings??  Client add bypasses the firewall rules.. which means to can get onto my local network??

Any help appreciated

 

Jas

0 Kudos
In response to Jas1066
cpowelltech
Comes here often
‎Feb 16 2024 10:43 AM
‎Feb 16 2024 10:43 AM

I believe the proper way to do this would be to put a splash page login on the SSID, and give your allowed clients a policy that allows them to bypass the splash page.

0 Kudos
In response to BrechtSchamp
sametkirpat
New here
‎Jun 22 2022 4:38 AM
‎Jun 22 2022 4:38 AM

Can we do this by using API?

0 Kudos
In response to BrechtSchamp
ErikaW
New here
‎Sep 28 2023 1:46 PM
‎Sep 28 2023 1:46 PM

Is that block limit of 3000 per network, per organization, or something else?

0 Kudos
UKDanJones
Building a reputation
‎Sep 28 2023 11:35 PM
‎Sep 28 2023 11:35 PM

MAC filtering is not an effective solution. My question would be why do you want to block this device?

Please feel free to hit that kudos button
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.