Meraki

KK1 · ‎Jul 27 2023

Hello Meraki Community,

I have a question regarding client access control on our Meraki wireless network. Currently, we have one SSID being broadcasted across multiple access points in our network. However, we would like to implement some restrictions to enhance security and manage client connections more effectively.

1. Allowing Specific Clients to Connect Only to One Chosen Access Point:

Is it possible to configure our Meraki wireless network in a way that specific clients are allowed to connect to only one designated access point? We have certain devices that should always connect to a specific access point due to location or performance reasons. Ensuring that these devices connect only to their designated access point would greatly improve our network management.

2. Blocking Unauthorized Clients:

Additionally, we want to enhance our network security by preventing unauthorized clients from connecting to specific SSID, even if they manage to obtain the correct WPA key.

If any of you have experience with similar setups or have insights into how we can achieve these configurations using Meraki, I would greatly appreciate your guidance. Feel free to share your knowledge, best practices, or any helpful tips that could assist us in achieving our desired network access control setup.

Thank you in advance for your contributions and support.

Best regards,
KK1

alemabrahao · ‎Jul 27 2023

1 - No, there is no possibility unless you disclose the SSID only in a specific AP, so I think it would be a lot of effort, as you would have to create an SSID for each region you wanted. In the Aironet line, this would be easily resolved by integrating with Cisco Prime.

2 - Yes, but it would be a manual process, as you would have to apply the blocking policy on the client manually. The easiest way would be to work with 802.1x or maybe with iPSK.

https://documentation.meraki.com/MR/Encryption_and_Authentication/IPSK_with_RADIUS_Authentication

https://documentation.meraki.com/MR/Encryption_and_Authentication/IPSK_Authentication_without_RADIUS

https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_RADIUS_Authentication_...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

UKDanJones · ‎Jul 27 2023

I think my question would be why do you want to do this? It sounds like a solution to a problem because of a bad design.

What’s the issue you’re finding? Too many clients connected to one AP and not roaming?

what’s the security issue you’re facing?

Please feel free to hit that kudos button

PhilipDAth · ‎Jul 27 2023

>Allowing Specific Clients to Connect Only to One Chosen Access Point:

I'm with @UKDanJones . The WiFi network is making live continuous measurements. It knows more about the RF spectrum than you will do. You will not be able to manually outperform the algorithm.

HOWEVER, if you really wanted to do this, it would be possible via RADIUS. You would probably create a policy that only allowed a client to authenticate when it connected to a specific AP. You would need to disable roaming on the WiFi system to prevent the network trying to offload the client if the AP got overloaded. You would also need to find a WiFi driver that allowed you to force the client to connect to a specific AP, even if another one looked better.

>Blocking Unauthorized Clients:

Same deal. You ideally want to be using something like WPA2-Enterprise mode, and then just create whatever RADIUS policies you want to say who can connect to what.

If the machines are all Windows and attached to Active Directory you could also create group policies to deny connection to specific SSIDs.

Meraki

Community

Controlling Client Access on Specific Access Points in Meraki Network

Controlling Client Access on Specific Access Points in Meraki Network