Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Limiting personal devices

Solved
RandyK
Conversationalist
‎Sep 19 2023 2:04 PM
‎Sep 19 2023 2:04 PM

Limiting personal devices

Unfortunately , the employee wifi password was shared with employees prior to my arrival .  We now have a lot of personal devices connecting.   What is the best method to resolve this?   We have Azure AD 

0 Kudos
Subscribe
1 Accepted Solution
In response to RandyK
leewalhovd
Meraki Employee
Meraki Employee
‎Sep 20 2023 9:56 AM
‎Sep 20 2023 9:56 AM

802.1x auth can use many things to validate a device, for example, certificates on the device. Depending on control, or lack of control of the devices would determine what is appropriate. If you don't keep the certificate from users, as in they have admin access to the devices certificate authentication won't guarantee they can't move the certificate to another device to authenticate. 
https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_RADIUS_Authentication_...

View solution in original post

0 Kudos
Subscribe
6 Replies 6
DarrenOC
Kind of a big deal
Kind of a big deal
‎Sep 19 2023 2:44 PM
‎Sep 19 2023 2:44 PM

Change the password.

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
0 Kudos
Subscribe
In response to DarrenOC
leewalhovd
Meraki Employee
Meraki Employee
‎Sep 19 2023 4:03 PM
‎Sep 19 2023 4:03 PM

I would convert the SSID to an IPSK without radius with a new and old PSK and remove the old password after an audit of the clients. Any device that is connecting to the Old PSK will stop working once the IPSK is removed that covers the old PSK. It's a nice way to rotate passwords without breaking connections entirely. 
https://documentation.meraki.com/MR/Encryption_and_Authentication/IPSK_Authentication_without_RADIUS

0 Kudos
Subscribe
KarstenI
Kind of a big deal
Kind of a big deal
‎Sep 19 2023 3:06 PM
‎Sep 19 2023 3:06 PM

I would go one step further than @DarrenOC 

Either move to 802.1X or, if you want to keep PSKs, push the passphrase to the clients with an MDM. That way the users can not read the password.

In addition to that, allow the users to connect their personal devices with a different SSID/profile with reduced connectivity to your internal network. 

Subscribe
In response to KarstenI
RandyK
Conversationalist
‎Sep 20 2023 9:41 AM
‎Sep 20 2023 9:41 AM

What solution for 802.1 x would stop the employees from just using their phone and authenticate there

0 Kudos
Subscribe
In response to RandyK
KarstenI
Kind of a big deal
Kind of a big deal
‎Sep 20 2023 9:50 AM
‎Sep 20 2023 9:50 AM

Nothing when using Username/PW. But you would see which devices belong to which user and could issue "corrective actions" (whatever this will be). With certificates, the amount of criminal energy of the user will be much higher.

Subscribe
In response to RandyK
leewalhovd
Meraki Employee
Meraki Employee
‎Sep 20 2023 9:56 AM
‎Sep 20 2023 9:56 AM

802.1x auth can use many things to validate a device, for example, certificates on the device. Depending on control, or lack of control of the devices would determine what is appropriate. If you don't keep the certificate from users, as in they have admin access to the devices certificate authentication won't guarantee they can't move the certificate to another device to authenticate. 
https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_RADIUS_Authentication_...

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.