Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Mac based access control on SSID with Raidus

tli
Comes here often
‎Feb 16 2023 7:49 AM
‎Feb 16 2023 7:49 AM

Mac based access control on SSID with Raidus

Hi guys, 

Hope your re doing well !

 

I am plaining to set the mac based access control on a specific SSID on Meraki, it just to prevent personal devices from connecting on specific SSID and allow only corporate users to connect,  This way the RADIUS server instead of authenticating users via their Username and password will allow them in based on their MAC address

Is the system will automactically detect the users mac @ devices or do i have to put all mac @ devices manually  ?

Looking forward to your reply.

 

Thanks !

 

0 Kudos
Subscribe
6 Replies 6
alemabrahao
Kind of a big deal
Kind of a big deal
‎Feb 16 2023 7:55 AM
‎Feb 16 2023 7:55 AM

You need to create the user manually. 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to alemabrahao
alemabrahao
Kind of a big deal
Kind of a big deal
‎Feb 16 2023 7:58 AM
‎Feb 16 2023 7:58 AM

https://documentation.meraki.com/MR/Encryption_and_Authentication/Creating_User_Accounts_in_Active_D...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Subscribe
In response to alemabrahao
tli
Comes here often
‎Feb 16 2023 8:39 AM
‎Feb 16 2023 8:39 AM

Thank you , we already have the APs communicate to AD , can we still proceed by doing this ?

 

Thanks !

0 Kudos
Subscribe
In response to tli
alemabrahao
Kind of a big deal
Kind of a big deal
‎Feb 16 2023 8:43 AM
‎Feb 16 2023 8:43 AM

Yes, but keep in mind that you will need to change your AD password policy to a less secure policy.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to alemabrahao
tli
Comes here often
‎Feb 16 2023 8:56 AM
‎Feb 16 2023 8:56 AM

In case i leave the AD policy as it is actually, my focus is on creating users manually on AD (i guess what this mean)

Here is what is the scheme, All APs are configure to the radius, the APs are not playing the dhcp role, the dhcp server give ip to all corporate user once conected -  so for every request, it goes first to the AD and grant users access to the wireless network.

 

 

0 Kudos
Subscribe
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Feb 16 2023 11:44 AM
‎Feb 16 2023 11:44 AM

I'm not keen on this approach when using NPS on Windows because you have to create an AD account where the username and password is the MAC address.

 

This means if someone knows the MAC address of any device that can connect (which can be worked out easily by just sniffing the wireless traffic of connected devices), they can attempt to use that for authentication against anything using AD.

It is really hard in AD to block accounts from being able to authenticate for anything except NPS.  I'll go further and say it is probably impossible.  You might think you have, but probably have missed something.

 

A stronger option would be to change to certificate based authentication for devices.  Create an AD group policy to automatically deploy certificates to devices in AD, and then configure your WiFi environment to authenticate using those certificates.

 

A weaker option that doesn't increase the risk to everything attached to your AD would be to stick with your current username/password authentication, but change the Meraki firewall policy to a default deny.  Then create a group policy called something like "Approved-for-WiFi" that overrides the firewall policy and gives user access, and then apply that to every device in the Meraki dashboard that you want to have access.

Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.