Meraki

Community

Lockdown Clients on an SSID by Mac Address

merakitales
Just browsing
‎Sep 21 2019 5:01 PM
‎Sep 21 2019 5:01 PM

Lockdown Clients on an SSID by Mac Address

We have several meraki access points and we're looking to limit access to the corporate SSID to only corporate laptops and keep out personal devices. We have changed the password a couple of times and we're still finding personal devices on the corporate network. How do we go about limiting access to an SSID by mac address without using a radius server?

0 Kudos
5 Replies 5
BrechtSchamp
Kind of a big deal
‎Sep 21 2019 7:46 PM
‎Sep 21 2019 7:46 PM

This describes what you need:

https://documentation.meraki.com/MR/MR_Splash_Page/Using_a_Sign-on_Splash_Page_to_Restrict_Wireless_...

 

Basically you're setting up a splash page and whitelisting certain devices to make the access points allow them to the network without the splash page.

In response to BrechtSchamp
merakitales
Just browsing
‎Sep 22 2019 8:35 AM
‎Sep 22 2019 8:35 AM

Thanks Brecht! Had an extra kudos question: we are thinking to use jumpcloud's radius-as-a-service with the association requirements of WPA2-Enterprise in the meraki dashboard to authenticate to the SSID via ldap user credentials in jumpcloud.

 

 

The preferable requirement is to configure the wap to jumpcloud's radius and whitelist known company devices via mac address so they connect without authentication.

 

Will this cause connection attempts from unknown devices to be automatically blocked at the splash page even if you selected "sign-on with meraki authentication" in the meraki dashbaord, or will they get a prompt to authenticate and when they do, bypass the mac address restriction?

0 Kudos
In response to merakitales
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Sep 22 2019 4:01 PM
‎Sep 22 2019 4:01 PM

If you use WPA2-Enterprise mode their is no splash page (normally), and you can't use group policy to bypass WPA2 authentication.

 

I did a quick Google and it Jump Cloud does not appear to support MAC address authentication (althought it has several references to Apple Macs).

 

Using just WPA2-Enterprise mode and Jump Cloud it does not look like you could prevent users from connecting personal devices.

 

What about providing a seperate SSID for staff personal devices and asking them to use that instead?

In response to PhilipDAth
BlakeRichardson
Kind of a big deal
Kind of a big deal
‎Sep 22 2019 7:43 PM
‎Sep 22 2019 7:43 PM

Sorry to hijack but if anyone wants to test using Jumpcloud you can use their service for up to 10 users for free. 

 

 

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Kudos
In response to PhilipDAth
merakitales
Just browsing
‎Sep 23 2019 6:50 PM
‎Sep 23 2019 6:50 PM

Let me make a suggestion. Using the association requirement of WPA2-Enterprise with my Radius Server option, under the Splash page you would select Sign on with meraki authentication, assign block all access until sign on is complete, then add known machines to the whitelist via mac address. When an end-user device on the known machines list attempts to connect to the SSID, they get a prompt to enter their jumpcloud credentials then it bypasses the splash page requirement since their machine mac address is whitelisted. On the other hand, if an unknown machine successfully authenticates using a user's jumpcloud credentials, then they are taking to a splash page requesting the meraki authentication. The meraki authentication would be a single email-address and password set at Network-Wide > Users that only the administrators would know. Did I make it complicated or is this a possibility?

 

I'm basing my response of the following knowledge base articles:

https://support.jumpcloud.com/customer/portal/articles/2406833-configuring-a-cisco-meraki-wap-to-jum...

https://documentation.meraki.com/MR/Encryption_and_Authentication/Cloud_Hosted_Meraki_Authentication

https://documentation.meraki.com/MR/MR_Splash_Page/Using_a_Sign-on_Splash_Page_to_Restrict_Wireless_...

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.