Meraki

sleepyman1

I have several groups in the SSID.

I want certain devices to connect to certain groups.

I do not want these devices to be able to connect to any other group in the same SSID if another groups password is leaked.

Due to Layer 3 firewall setting in that groups, Group Policy. It's "Blocked until Whitelisted". Currently I can type in the password for that group that's in iPSK without RADIUS. Then I have to whitelist that device when it is approved so it can finish the connection.

But, this also seems to whitelist that device for ALL the other groups. So, if the password from GROUP 1 is leaked to someone who should be in GROUP 2, that device will be able to connect to GROUP 1.

I want to prevent this. I think I'm getting lost in the settings somewhere or need to take a different approach at this.

alemabrahao

The best way would be to use 802.1x and control this with policies created on your Radius server.

Of course, for this you need an authentication base such as Active Directory or LDAP.

With iPSK there is not much you can do, because the password can leak at any time.

Unless you use a Radius server for iPSK instead of the way you are using it, but even then you will need a Radius server.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

GreenMan

The issue with keys leaking out could be offset, to a large degree, by use of MDM (e.g. Meraki Systems Manager); only distribute the relevant key via install of the appropriate WiFi profile...

If this general issue is of particular concern to your business though, as mentioned before; Enterprise 802.1X with RADIUS would provide a lot more control.

Meraki

Community

How to whitelist (force) a device to connect to only one group within an SSID using iPSK without RAD

How to whitelist (force) a device to connect to only one group within an SSID using iPSK without RAD