Meraki

Community

Limiting personal devices

Solved
RandyK
Conversationalist
‎Sep 19 2023 2:04 PM
‎Sep 19 2023 2:04 PM

Limiting personal devices

Unfortunately , the employee wifi password was shared with employees prior to my arrival .  We now have a lot of personal devices connecting.   What is the best method to resolve this?   We have Azure AD 

0 Kudos
1 Accepted Solution
In response to RandyK
leewalhovd
Meraki Employee
Meraki Employee
‎Sep 20 2023 9:56 AM
‎Sep 20 2023 9:56 AM

802.1x auth can use many things to validate a device, for example, certificates on the device. Depending on control, or lack of control of the devices would determine what is appropriate. If you don't keep the certificate from users, as in they have admin access to the devices certificate authentication won't guarantee they can't move the certificate to another device to authenticate. 
https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_RADIUS_Authentication_...

View solution in original post

0 Kudos
6 Replies 6
DarrenOC
Kind of a big deal
Kind of a big deal
‎Sep 19 2023 2:44 PM
‎Sep 19 2023 2:44 PM

Change the password.

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
0 Kudos
In response to DarrenOC
leewalhovd
Meraki Employee
Meraki Employee
‎Sep 19 2023 4:03 PM
‎Sep 19 2023 4:03 PM

I would convert the SSID to an IPSK without radius with a new and old PSK and remove the old password after an audit of the clients. Any device that is connecting to the Old PSK will stop working once the IPSK is removed that covers the old PSK. It's a nice way to rotate passwords without breaking connections entirely. 
https://documentation.meraki.com/MR/Encryption_and_Authentication/IPSK_Authentication_without_RADIUS

0 Kudos
KarstenI
Kind of a big deal
Kind of a big deal
‎Sep 19 2023 3:06 PM
‎Sep 19 2023 3:06 PM

I would go one step further than @DarrenOC 

Either move to 802.1X or, if you want to keep PSKs, push the passphrase to the clients with an MDM. That way the users can not read the password.

In addition to that, allow the users to connect their personal devices with a different SSID/profile with reduced connectivity to your internal network. 

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
In response to KarstenI
RandyK
Conversationalist
‎Sep 20 2023 9:41 AM
‎Sep 20 2023 9:41 AM

What solution for 802.1 x would stop the employees from just using their phone and authenticate there

0 Kudos
In response to RandyK
KarstenI
Kind of a big deal
Kind of a big deal
‎Sep 20 2023 9:50 AM
‎Sep 20 2023 9:50 AM

Nothing when using Username/PW. But you would see which devices belong to which user and could issue "corrective actions" (whatever this will be). With certificates, the amount of criminal energy of the user will be much higher.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
In response to RandyK
leewalhovd
Meraki Employee
Meraki Employee
‎Sep 20 2023 9:56 AM
‎Sep 20 2023 9:56 AM

802.1x auth can use many things to validate a device, for example, certificates on the device. Depending on control, or lack of control of the devices would determine what is appropriate. If you don't keep the certificate from users, as in they have admin access to the devices certificate authentication won't guarantee they can't move the certificate to another device to authenticate. 
https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_RADIUS_Authentication_...

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.