- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Limiting personal devices
Unfortunately , the employee wifi password was shared with employees prior to my arrival . We now have a lot of personal devices connecting. What is the best method to resolve this? We have Azure AD
Solved! Go to solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
802.1x auth can use many things to validate a device, for example, certificates on the device. Depending on control, or lack of control of the devices would determine what is appropriate. If you don't keep the certificate from users, as in they have admin access to the devices certificate authentication won't guarantee they can't move the certificate to another device to authenticate.
https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_RADIUS_Authentication_...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Change the password.
https://www.linkedin.com/in/darrenoconnor/
I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would convert the SSID to an IPSK without radius with a new and old PSK and remove the old password after an audit of the clients. Any device that is connecting to the Old PSK will stop working once the IPSK is removed that covers the old PSK. It's a nice way to rotate passwords without breaking connections entirely.
https://documentation.meraki.com/MR/Encryption_and_Authentication/IPSK_Authentication_without_RADIUS
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would go one step further than @DarrenOC
Either move to 802.1X or, if you want to keep PSKs, push the passphrase to the clients with an MDM. That way the users can not read the password.
In addition to that, allow the users to connect their personal devices with a different SSID/profile with reduced connectivity to your internal network.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What solution for 802.1 x would stop the employees from just using their phone and authenticate there
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nothing when using Username/PW. But you would see which devices belong to which user and could issue "corrective actions" (whatever this will be). With certificates, the amount of criminal energy of the user will be much higher.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
802.1x auth can use many things to validate a device, for example, certificates on the device. Depending on control, or lack of control of the devices would determine what is appropriate. If you don't keep the certificate from users, as in they have admin access to the devices certificate authentication won't guarantee they can't move the certificate to another device to authenticate.
https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_RADIUS_Authentication_...
