Hi guys,
Hope your re doing well !
I am plaining to set the mac based access control on a specific SSID on Meraki, it just to prevent personal devices from connecting on specific SSID and allow only corporate users to connect, This way the RADIUS server instead of authenticating users via their Username and password will allow them in based on their MAC address
Is the system will automactically detect the users mac @ devices or do i have to put all mac @ devices manually ?
Looking forward to your reply.
Thanks !
You need to create the user manually.
Thank you , we already have the APs communicate to AD , can we still proceed by doing this ?
Thanks !
Yes, but keep in mind that you will need to change your AD password policy to a less secure policy.
In case i leave the AD policy as it is actually, my focus is on creating users manually on AD (i guess what this mean)
Here is what is the scheme, All APs are configure to the radius, the APs are not playing the dhcp role, the dhcp server give ip to all corporate user once conected - so for every request, it goes first to the AD and grant users access to the wireless network.
I'm not keen on this approach when using NPS on Windows because you have to create an AD account where the username and password is the MAC address.
This means if someone knows the MAC address of any device that can connect (which can be worked out easily by just sniffing the wireless traffic of connected devices), they can attempt to use that for authentication against anything using AD.
It is really hard in AD to block accounts from being able to authenticate for anything except NPS. I'll go further and say it is probably impossible. You might think you have, but probably have missed something.
A stronger option would be to change to certificate based authentication for devices. Create an AD group policy to automatically deploy certificates to devices in AD, and then configure your WiFi environment to authenticate using those certificates.
A weaker option that doesn't increase the risk to everything attached to your AD would be to stick with your current username/password authentication, but change the Meraki firewall policy to a default deny. Then create a group policy called something like "Approved-for-WiFi" that overrides the firewall policy and gives user access, and then apply that to every device in the Meraki dashboard that you want to have access.