MAC filtering on wireless

Solved
Silas1066
Getting noticed

MAC filtering on wireless

I am building out a new network to replace an existing wireless network that used MAC filtering for clients. The old setup consisted of a pre-shared key and MAC list.

 

I see that in dashboard, you can go to organization-->clients and add a client to the network, but after I put in the MAC and a name, and hit save, it simply says "changes saved" --I don't see that MAC listed anywhere. Will it not show up until the client actually connects?

 

Also, to do MAC filtering do I have to use a Radius server? Or can I use the old pre-shared key with MAC filtering?

1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal

MAC addresses you add as clients don't show up until the client has connected, and then you have to display the list of clients for the time period the client would have been connected in.

 

Within the scope of the question you have asked, @kYutobi  has given an excellent answer.  Basically create a layer 3 firewall rule blocking all traffic, and then create a group policy and attach it to each individual client that overrides the firewall rules allowing the traffic for that one client.

 

HOWEVER, this is not a modern way of doing things.  You should really consider using something like WPA2-Enterprise mode or at a minimum WPA2-PSK (with this last option being very simple to implement).

You could also consider using the "Trusted Access" feature of Systems Manager (although this does require you to buy Systems Manager licences).  This uses certificate based authentication - but frees you from having to manage the certificates.

https://documentation.meraki.com/zGeneral_Administration/Cross-Platform_Content/Trusted_Access_for_S... 

"Trusted Access" is still a little "green" at the moment.  Apple support is good.  Android and Windows 10 support is weak to poor - but give it maybe another 3 months and that should be sorted out.

View solution in original post

10 Replies 10
kYutobi
Kind of a big deal

You can create a "group policy" that way you have a list of MAC addresses you import plus make your own rules and blocks for that policy. You won't need a RADIUS server. 

 

kYutobi_0-1580144070420.png

 

Enthusiast
Silas1066
Getting noticed

I see the group policy creation screen, but don't see anywhere to add a list of MAC addresses 

kYutobi
Kind of a big deal

You add them as if you were adding a wireless client. Select the dropdown and assign policy.

 

kYutobi_0-1580146346206.png

 

Enthusiast
PhilipDAth
Kind of a big deal
Kind of a big deal

MAC addresses you add as clients don't show up until the client has connected, and then you have to display the list of clients for the time period the client would have been connected in.

 

Within the scope of the question you have asked, @kYutobi  has given an excellent answer.  Basically create a layer 3 firewall rule blocking all traffic, and then create a group policy and attach it to each individual client that overrides the firewall rules allowing the traffic for that one client.

 

HOWEVER, this is not a modern way of doing things.  You should really consider using something like WPA2-Enterprise mode or at a minimum WPA2-PSK (with this last option being very simple to implement).

You could also consider using the "Trusted Access" feature of Systems Manager (although this does require you to buy Systems Manager licences).  This uses certificate based authentication - but frees you from having to manage the certificates.

https://documentation.meraki.com/zGeneral_Administration/Cross-Platform_Content/Trusted_Access_for_S... 

"Trusted Access" is still a little "green" at the moment.  Apple support is good.  Android and Windows 10 support is weak to poor - but give it maybe another 3 months and that should be sorted out.

Silas1066
Getting noticed

I have the SSID and MAC working (assigned a policy to my laptop), but I am a little unclear on the firewall blocking

 

so I should go into the SSID and select layer 3 firewall rules and set the default action to block any to local LAN (or any) and simply leave it as that?

 

wouldn't this block access to everything regardless of allowed MACs? Or does the individual group policy override that?

kYutobi
Kind of a big deal

@Silas1066 The group policy will override it but by default it will block everything else that's doesn't have one.

Enthusiast
Silas1066
Getting noticed

yes, it looks like it is working. Unless the client is listed with a MAC association and policy, they get "packet filtered" errors when trying to do anything on the network--so it looks like they are blocked.

 

thanks for your help. This was a bit counter-intuitive, but now it makes sense 

Sandra_Linares
Here to help

Hello! 

 

In a network that only has an MS120-8FP switch and 2 MR46 APs installed, would it be possible to use a group policy to perform MAC filtering? I have tried it but I have not been able to get it to work, the devices connected and browsed the same whether they had the group policy applied or not.

 

Thanks

PhilipDAth
Kind of a big deal
Kind of a big deal

Yes, but you can also simply limit access based on MAC address.  You don't provide enough info to really help you, but for WiFi you could use iPSK:

https://documentation.meraki.com/MR/Encryption_and_Authentication/IPSK_Authentication_without_RADIUS 

 

For wired clients you could use a sticky MAC address.

https://documentation.meraki.com/MS/Port_and_VLAN_Configuration/Switch_Ports 

Sandra_Linares
Here to help

The clients are wireless and I want to filter the clients by their MAC. But I don't have installed a MX device, only have a switch and I only can configure a Deny Rule in Wireless -> Firewall&Traffic Shaping to apply a group policy but I'm not sure if it is going to work.

 

Thanks!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels