Blocking the MR44 port from being connected to another device

netper
Here to help

Blocking the MR44 port from being connected to another device

Hey all,
I have an all-around Meraki environment including MXs MS switches and MRs. I wanted to know if there's a way for me to block anyone who tries to remove a cable from my access point and use it on his laptop.
Currently the AP's port on the switch is set to 'trunk' and 'open' access policy. When I tried to change the AP to specific MAC addresses it didnt allow any client which is not the AP to use the wifi broadcasted by the AP.

Is Meraki offering any protection to this case?

7 Replies 7
ww
Kind of a big deal
Kind of a big deal

netper
Here to help

@ww  would SecurePort also help in my case? I dont want someone to take the cable of the MR and plug it in to his laptop for connectivity.
If I understood correctly, SecurePort will be useful if someone connects a rouge MR/Meraki device?

ww
Kind of a big deal
Kind of a big deal

If you use the AP cable and the device is not a Meraki AP you will get a access port config, maybe with unused/limited vlan. When you connect a meraki ap the port will use pre-defined secure port trunk config

RaphaelL
Kind of a big deal
Kind of a big deal

Set a non existing vlan on the default port config. Configure secureport. If an AP is connected the port will be configured on a trunk port with the desired vlans , else the port will be an access port with the non existing vlan which will prevent any authenticated user ( via 802.1X )  from using that port ,even if the user is 'legit'

alemabrahao
Kind of a big deal
Kind of a big deal

In my opinion, implementing 802.1x authentication on the ports is the best option.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
netper
Here to help

@alemabrahao  Im not sure how is this going to help, if the user is authenticated he will still be able to use the MR port. Correct?

alemabrahao
Kind of a big deal
Kind of a big deal

Not if they are not users that you have created in the domain or the MAC registered if you use MAB.

The best option would be if you had a Cisco ISE in your network to act as a NAC, but an NPS from Mircosoft or a Freeradius would already be of great value.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Get notified when there are additional replies to this discussion.