Meraki

AaronKennedy

For several years at my school students have been using Active Directory authentication to sign into wi-fi with their personal devices. A VLAN-specific group policy is then applied to those devices to enforce traffic and content restrictions. In the rare circumstance where a student tries to use a VPN to bypass those restrictions, I can manually block the signed-in device until the student comes to speak with me.

However, some students have discovered that if they turn on "Private Wi-Fi Address" and set the MAC address to rotate every couple of hours, they can use VPNs without any risk of having their device blocked. Yes, they get the splash page login several times per day, but that is just a minor inconvenience to them.

Is there a way in the Meraki dashboard (or in Active Directory) to prevent a specific user or set of users from successfully authenticating on the splash page for the student?

Or conversely, is it possible to uniquely identify and block a specific device in Meraki Dashboard that does not rely on MAC addresses?

Mloraditch

There is no way to block specific devices except by MAC. The easiest way to achieve your goal would be setup and use NPS. You already have a windows environment so that's free and included. In there you can only allow certain groups to get a sign in.

The guide here has an example with NPS: https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Configuring_RADIUS_Au...

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.

View solution in original post

Mloraditch

There is no way to block specific devices except by MAC. The easiest way to achieve your goal would be setup and use NPS. You already have a windows environment so that's free and included. In there you can only allow certain groups to get a sign in.

The guide here has an example with NPS: https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Configuring_RADIUS_Au...

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.

AaronKennedy

Thanks for the reply.

I already use NPS/RADIUS authentication for staff personal devices (which is how I prevent students from signing into the staff SSID).

I suppose I could also implement RADIUS authentication for the students, but if I understand how the dashboard authenticates using RADIUS, I would have to set up a second NPS server in order to accomplish it. When I look at the way the Meraki dashboard authenticates via RADIUS, all authentication requests come from the same Meraki IP address range. I could not assign different OUs in Active directory to dfferent SSIDs in the dashboard because Meraki does not distinguish requests that come from different SSIDs. With a single NPS server, I could only set up OUs that can authenticate with ALL SSIDs using RADIUS and OUs that cannot.

Mloraditch

Per the documentation, the called station ID attribute contains the SSID so you should be able to filter on that basis within NPS.

There is also the ability for support to enable the Filter-Id so that you can return a group policy value based on staff or student and consolidate SSIDs.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.

AaronKennedy

Thanks... I will definitely look into the possibility of expanding RADIUS authentication to the student SSID. It would give me much more granular control over user access.

Meraki

Community

Is it possible to block AD authentication on an SSID splash page login for a specific user?

Is it possible to block AD authentication on an SSID splash page login for a specific user?