Meraki

Community

Meraki Wireless Access via MAC-based Authentication

ShadowoftheDark
Getting noticed
‎Apr 12 2023 6:39 AM
‎Apr 12 2023 6:39 AM

Meraki Wireless Access via MAC-based Authentication

Hi,

 

A little background on what I'd like to do / planning to do.

 

All of our users are now using laptops as their main workstation. I would like to implement a Wireless access to our local LAN to help our users work anywhere within the office.

 

The main thing that's stopping me from this are 2 things:

 

1) Users sometimes bring their own device and connect their own phone or laptop to the Wireless LAN network (we're still using Password based authentication)

 

2) Regular changing of passwords is a pain since users tend to forget or ignore the announcement that the password will be changed on that date and we'll get angry calls that they can't connect to their meeting since the internet is broken (I've had a lot of cases of this).

 

Due to this, I want to implement a MAC-based access control on my Wireless network. I want specified MAC addresses to be able to connect to certain SSIDs only to maintain the proper separation between groups.

Laptop logon is via fingerprint anyway so we're sure we're getting authenticated users.

 

Now on to the testing. I followed the steps outlined in these guides

 

Configuring RADIUS Authentication with WPA2-Enterprise - Cisco Meraki 

Enabling MAC-based access control on an SSID - Cisco Meraki

 

However I can't seem to get my test laptops to connect.

 

Here's the current setup right now

 

 

Wifi network.JPG

 

I have 3 laptops IT, CS and HR. I also have 3 separate SSIDs for each group.

 

On my test.test domain, I have a Group_Laptop_Users where the usernames of the laptops are their mac addreses (and also their password) for testing purposes. 

 

NPS is configured to point to the Access Point. Passwords are the same. 

 

When I tried to connect the IT Laptop to the IT_WIFI it failed, as well as the 2 other laptops as well.

 

Questions:

 

1) Is my scenario possible? I literally don't get how this MAC based authentication works since on the NPS I only associated the Group of laptops with their username and password as their mac. Is that it? That's the mac based authentication?

 

2) How do I separate the access for my Laptops, i.e. I only want HR users to access the HR WIFI. Should I create separate polices for each SSID that I create?

 

Thanks for reading!

Labels:
2 Replies 2
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 12 2023 1:04 PM
‎Apr 12 2023 1:04 PM

Check the NPS event log to see why it is allowing/denying the connection.

 

If this is a new NPS issue - a common problem is when you add the role Windows does not correctly add the Windows firewall rule to allow the RADIUS traffic on the NPS server - so try turning off Windows firewall to test (if it solves it, add a rule to allow udp/1812).

 

Use your existing authentication system, but change the default wireless firewall rules to deny all traffic.  Then create a Meraki group policy called "Authorized" (or something like that) that overrides the firewall rule allowing the traffic.  Apply the Meraki group policy to all devices allowed to access WiFi.

All devices will still be able to attach to WiFi, but only authorised devices will be able to send/receive traffic.

ShadowoftheDark
Getting noticed
‎May 18 2023 4:14 AM
‎May 18 2023 4:14 AM

Hi,

 

Apologies on the late reply as I was swamped with other projects.

 

Update: I moved away from Windows based NAS and I'm trying out now the FreeRadius - Centos 8 option.

 

Right now I can't seem to get why I can't connect to my AP (MR44)

 

on the MR44 I have

 

Network Access: IdentityPSK with RADIUS

Bridged Mode

Use VLAN tagging

Vlan 20

 

FreeRadius - Centos 8

 

clients.conf

client network-1 {
ipaddr = 10.1.1.1/32
secret = testing123

 

users

aabbccddeeff Cleartext-Password := aabbccddeeff
Tunnel-Password = merakitesting

 

added ports 1812 and 1813 to firewall

 

Whenever I do my debug using the same user and minus the tunnel password and with the hello-reply enabled connecting to localhost I can connect, which means my radiusd is working fine.

 

But when I try to add in the tunnel-password and when I try to connect to my AP I can't connect.

 

Is there a configuration I'm missing here?

 

 

These are my references:

 

https://documentation.meraki.com/MR/Encryption_and_Authentication/IPSK_with_RADIUS_Authentication

https://synic.nl/2019/11/11/configuring-meraki-ipsk-with-freeradius/

 

Thanks

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.