- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Restrict access by PSK and MAC?
Is it possible to restrict access to a wireless network by requiring both a passphrase and the MAC address being whitelisted?
Solved! Go to solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could set the firewall rules to a default "deny any". Then a user would only get access if they knew both the PSK and you whitelisted them to override the deny.
Could you instead use WPA2-Enterprise mode with Meraki authentication? Then each device would need both a username and a password, and you can disable an individual device easily.
Another option is to use a unique PSK per device.
https://documentation.meraki.com/MR/Encryption_and_Authentication/IPSK_Authentication_without_RADIUS
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@WarrenG : Check this out
https://documentation.meraki.com/MR/Encryption_and_Authentication/Cloud_Hosted_Meraki_Authentication
For MAC, Check this tread
https://community.meraki.com/t5/Wireless-LAN/MR-authentication-with-MAC/m-p/56629
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could set the firewall rules to a default "deny any". Then a user would only get access if they knew both the PSK and you whitelisted them to override the deny.
Could you instead use WPA2-Enterprise mode with Meraki authentication? Then each device would need both a username and a password, and you can disable an individual device easily.
Another option is to use a unique PSK per device.
https://documentation.meraki.com/MR/Encryption_and_Authentication/IPSK_Authentication_without_RADIUS
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It would seem like using a PSK together with MAC address whitelisting should be a pretty simple option. Why is it that while Meraki's interface is very simplified, you can never seem to do the simple things that you might need to do?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Once you create the "deny any" rule (just one single rule), it's like 4 mouse clicks (just tried it) to whitelist a client from the client view.
I'm not sure how Meraki could make this simpler or easier.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay so I'm trying to track with you here. I create a deny rule on the particular SSID I need to lock down. How do you then whitelist a client from the client view?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's called "Allow" rather than "Whitelist". You can do it in several places, but the client's view is an easy way to do it.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay thanks Philip, I'm going to play with this and see if I can test it successfully. Thanks again for the help.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Within Wireless - Access Policy "Assign group policies by device type"... then select ALL the types and assign your PSK-ONLY-BLOCK-Group Policy 😉
Then within Network-Wide clients page - Add client section to override and assign a group policy to actually allow things 😉
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @Paul_H, I'm going to try Philips method first and will come back to this if I can't get that working. Thanks again!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey @WarrenG !
I've definitely encountered this before and as mentioned above you could leverage a firewall to do it like @PhilipDAth and or leverage @Inderdeep 's ideas as well!
A 3rd option... (because Meraki is SO flexible 😉 ) You can:
--> Create an SSID with PSK and enforce a group policy to be applied that has deny ANY ANY.
--> Under Network-Wide, Clients - Add a client by MAC address
--> Specify a unique Group Policy that grants access to that client MAC either globally or PER-SSID
--> Sit back like a Dashboard DJ!
Hope that helps as well!
