I am building out a new network to replace an existing wireless network that used MAC filtering for clients. The old setup consisted of a pre-shared key and MAC list.
I see that in dashboard, you can go to organization-->clients and add a client to the network, but after I put in the MAC and a name, and hit save, it simply says "changes saved" --I don't see that MAC listed anywhere. Will it not show up until the client actually connects?
Also, to do MAC filtering do I have to use a Radius server? Or can I use the old pre-shared key with MAC filtering?
Solved! Go to solution.
MAC addresses you add as clients don't show up until the client has connected, and then you have to display the list of clients for the time period the client would have been connected in.
Within the scope of the question you have asked, @kYutobi has given an excellent answer. Basically create a layer 3 firewall rule blocking all traffic, and then create a group policy and attach it to each individual client that overrides the firewall rules allowing the traffic for that one client.
HOWEVER, this is not a modern way of doing things. You should really consider using something like WPA2-Enterprise mode or at a minimum WPA2-PSK (with this last option being very simple to implement).
You could also consider using the "Trusted Access" feature of Systems Manager (although this does require you to buy Systems Manager licences). This uses certificate based authentication - but frees you from having to manage the certificates.
"Trusted Access" is still a little "green" at the moment. Apple support is good. Android and Windows 10 support is weak to poor - but give it maybe another 3 months and that should be sorted out.
You can create a "group policy" that way you have a list of MAC addresses you import plus make your own rules and blocks for that policy. You won't need a RADIUS server.
I see the group policy creation screen, but don't see anywhere to add a list of MAC addresses
You add them as if you were adding a wireless client. Select the dropdown and assign policy.
MAC addresses you add as clients don't show up until the client has connected, and then you have to display the list of clients for the time period the client would have been connected in.
Within the scope of the question you have asked, @kYutobi has given an excellent answer. Basically create a layer 3 firewall rule blocking all traffic, and then create a group policy and attach it to each individual client that overrides the firewall rules allowing the traffic for that one client.
HOWEVER, this is not a modern way of doing things. You should really consider using something like WPA2-Enterprise mode or at a minimum WPA2-PSK (with this last option being very simple to implement).
You could also consider using the "Trusted Access" feature of Systems Manager (although this does require you to buy Systems Manager licences). This uses certificate based authentication - but frees you from having to manage the certificates.
"Trusted Access" is still a little "green" at the moment. Apple support is good. Android and Windows 10 support is weak to poor - but give it maybe another 3 months and that should be sorted out.
I have the SSID and MAC working (assigned a policy to my laptop), but I am a little unclear on the firewall blocking
so I should go into the SSID and select layer 3 firewall rules and set the default action to block any to local LAN (or any) and simply leave it as that?
wouldn't this block access to everything regardless of allowed MACs? Or does the individual group policy override that?
@Silas1066 The group policy will override it but by default it will block everything else that's doesn't have one.
yes, it looks like it is working. Unless the client is listed with a MAC association and policy, they get "packet filtered" errors when trying to do anything on the network--so it looks like they are blocked.
thanks for your help. This was a bit counter-intuitive, but now it makes sense
Hello!
In a network that only has an MS120-8FP switch and 2 MR46 APs installed, would it be possible to use a group policy to perform MAC filtering? I have tried it but I have not been able to get it to work, the devices connected and browsed the same whether they had the group policy applied or not.
Thanks
Yes, but you can also simply limit access based on MAC address. You don't provide enough info to really help you, but for WiFi you could use iPSK:
https://documentation.meraki.com/MR/Encryption_and_Authentication/IPSK_Authentication_without_RADIUS
For wired clients you could use a sticky MAC address.
https://documentation.meraki.com/MS/Port_and_VLAN_Configuration/Switch_Ports
The clients are wireless and I want to filter the clients by their MAC. But I don't have installed a MX device, only have a switch and I only can configure a Deny Rule in Wireless -> Firewall&Traffic Shaping to apply a group policy but I'm not sure if it is going to work.
Thanks!