Hey all,
I have an all-around Meraki environment including MXs MS switches and MRs. I wanted to know if there's a way for me to block anyone who tries to remove a cable from my access point and use it on his laptop.
Currently the AP's port on the switch is set to 'trunk' and 'open' access policy. When I tried to change the AP to specific MAC addresses it didnt allow any client which is not the AP to use the wifi broadcasted by the AP.
Is Meraki offering any protection to this case?
@ww would SecurePort also help in my case? I dont want someone to take the cable of the MR and plug it in to his laptop for connectivity.
If I understood correctly, SecurePort will be useful if someone connects a rouge MR/Meraki device?
If you use the AP cable and the device is not a Meraki AP you will get a access port config, maybe with unused/limited vlan. When you connect a meraki ap the port will use pre-defined secure port trunk config
Set a non existing vlan on the default port config. Configure secureport. If an AP is connected the port will be configured on a trunk port with the desired vlans , else the port will be an access port with the non existing vlan which will prevent any authenticated user ( via 802.1X ) from using that port ,even if the user is 'legit'
In my opinion, implementing 802.1x authentication on the ports is the best option.
@alemabrahao Im not sure how is this going to help, if the user is authenticated he will still be able to use the MR port. Correct?
Not if they are not users that you have created in the domain or the MAC registered if you use MAB.
The best option would be if you had a Cisco ISE in your network to act as a NAC, but an NPS from Mircosoft or a Freeradius would already be of great value.