Meraki

Community

Blocking devices from wifi

Dave_B
Comes here often
‎Feb 16 2024 6:41 AM
‎Feb 16 2024 6:41 AM

Blocking devices from wifi

Hello,

I have a remote site that has a lot of users that connect their mobile phones to wifi and eventually exhaust my DHCP scope. I want to block these devices from connecting at all. I have used the block policy, however, these devices still connect and pull a DHCP IP, just have no network access. doesn't really do much good to block them if they still pull an IP.

Is there a way within Meraki to completely block a device from connecting and pulling an IP address?

 

Thanks,

Dave

0 Kudos
4 Replies 4
alemabrahao
Kind of a big deal
Kind of a big deal
‎Feb 16 2024 7:06 AM
‎Feb 16 2024 7:06 AM

The best way is using the Meraki MDM, but you can try applying policy by device type.

 

 

https://documentation.meraki.com/MR/Group_Policies_and_Block_Lists/Applying_Policies_by_Device_Type

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Purroy
Meraki Employee
Meraki Employee
‎Feb 16 2024 7:31 AM
‎Feb 16 2024 7:31 AM

You can do several things. Amongst them:

 

1. Create a group policy and assign a VLAN that does not have DHCP and does not go anywhere. Their devices will be place on that VLAN and it will give them a failure as they will not obtain an IP. 

2. Increase your DHCP pool, create a policy that has very limited Bandwidth (10s of Kbps) and assign it to mobile devices. This will make the WiFi for mobile phones so slow that they will prefer to use the LTE connection. 

3.  Stop using PSK and start using a radius server to authenticate. This will not allow their mobiles, which are not in the Radius server, to connect. 


4.  Similar to option 2. Increase your DHCP pool, set the SSID with  very limited Bandwidth (10s of Kbps) and put a splash page telling them not to use WiFi. Assign to your corporate devices a whitelist policy.  This will make any device that connects to WiFi go really slow and get a splash message about their non compliant behaviour. The corporate devices that you whitelist will not be BW limited nor get the splash page. 

it is Friday. I encourage you to play with all of the Dashboard options and see how the users react!

 

Happy weekend.

 

Dave_B
Comes here often
‎Feb 16 2024 9:08 AM
‎Feb 16 2024 9:08 AM

Thanks for the input and suggestions. I will look into all of this

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Feb 16 2024 1:22 PM
‎Feb 16 2024 1:22 PM

Another potentially easy option not mentioned yet - you could expand your DHCP pool.

 

Another option not mentioned yet - you could consider using iPSK - where you give each user their own individual PSK.  If you don't have it, they can't connect.  As a bonus, when you use this method you can add a column to the dashboard to display the name of the iPSK - so you can determine the name of each user connecting.

You can also create a "default" iPSK which is the same as the current PSK, which means you can keep the current WiFi working "as is" while you migrate to iPSK, and then once done, delete the existing default iPSK.

https://documentation.meraki.com/MR/Encryption_and_Authentication/IPSK_Authentication_without_RADIUS 

 

As a bonus, both of the above two methods are "free" and once setup they have a very low management overhead (you won't have to do anything to look after it!).

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.