Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Controlling Client Access on Specific Access Points in Meraki Network

KK1
New here
‎Jul 27 2023 3:03 AM
‎Jul 27 2023 3:03 AM

Controlling Client Access on Specific Access Points in Meraki Network

Hello Meraki Community,

 

I have a question regarding client access control on our Meraki wireless network. Currently, we have one SSID being broadcasted across multiple access points in our network. However, we would like to implement some restrictions to enhance security and manage client connections more effectively.

 

1. Allowing Specific Clients to Connect Only to One Chosen Access Point:


Is it possible to configure our Meraki wireless network in a way that specific clients are allowed to connect to only one designated access point? We have certain devices that should always connect to a specific access point due to location or performance reasons. Ensuring that these devices connect only to their designated access point would greatly improve our network management.

 

2. Blocking Unauthorized Clients:


Additionally, we want to enhance our network security by preventing unauthorized clients from connecting to specific SSID, even if they manage to obtain the correct WPA key. 

 

If any of you have experience with similar setups or have insights into how we can achieve these configurations using Meraki, I would greatly appreciate your guidance. Feel free to share your knowledge, best practices, or any helpful tips that could assist us in achieving our desired network access control setup.

 

Thank you in advance for your contributions and support. 

 

Best regards,
KK1

0 Kudos
Subscribe
3 Replies 3
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jul 27 2023 3:23 AM
‎Jul 27 2023 3:23 AM

1 - No, there is no possibility unless you disclose the SSID only in a specific AP, so I think it would be a lot of effort, as you would have to create an SSID for each region you wanted. In the Aironet line, this would be easily resolved by integrating with Cisco Prime.
 
2 - Yes, but it would be a manual process, as you would have to apply the blocking policy on the client manually. The easiest way would be to work with 802.1x or maybe with iPSK.
 
 
 
I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Subscribe
UKDanJones
Building a reputation
‎Jul 27 2023 6:49 AM
‎Jul 27 2023 6:49 AM

I think my question would be why do you want to do this? It sounds like a solution to a problem because of a bad design. 

What’s the issue you’re finding? Too many clients connected to one AP and not roaming?

 

what’s the security issue you’re facing?

Please feel free to hit that kudos button
Subscribe
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jul 27 2023 2:38 PM
‎Jul 27 2023 2:38 PM

>Allowing Specific Clients to Connect Only to One Chosen Access Point:

 

I'm with @UKDanJones .  The WiFi network is making live continuous measurements.  It knows more about the RF spectrum than you will do.  You will not be able to manually outperform the algorithm.

 

HOWEVER, if you really wanted to do this, it would be possible via RADIUS.  You would probably create a policy that only allowed a client to authenticate when it connected to a specific AP.  You would need to disable roaming on the WiFi system to prevent the network trying to offload the client if the AP got overloaded.  You would also need to find a WiFi driver that allowed you to force the client to connect to a specific AP, even if another one looked better.

 

>Blocking Unauthorized Clients:

 

Same deal.  You ideally want to be using something like WPA2-Enterprise mode, and then just create whatever RADIUS policies you want to say who can connect to what.

 

If the machines are all Windows and attached to Active Directory you could also create group policies to deny connection to specific SSIDs.

Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.