Meraki

Community

Restrict access by mac address in SSID (all clients blocked by default until explicitly allowed)

jperez_netics
New here
‎May 29 2024 1:46 PM
‎May 29 2024 1:46 PM

Restrict access by mac address in SSID (all clients blocked by default until explicitly allowed)

as far as i know, if an endpoint connect to the wireless network, i can then restrict the access using device policy and choosing normal, block or allow

 

what the customer wants is exactly that function but backwards, i mean, if we can set device policy on block by default for any new users and manually put them in allow or normal, is this possible?

 

i tried to do that but i think that i'm missing something or it can't be done the way they want

0 Kudos
4 Replies 4
alemabrahao
Kind of a big deal
‎May 29 2024 1:53 PM
‎May 29 2024 1:53 PM

Not directly on the SSID, you would need a Radius server to restrict it this way.

 

https://documentation.meraki.com/MR/Encryption_and_Authentication/Enabling_MAC-based_access_control_...

 

https://documentation.meraki.com/MR/Encryption_and_Authentication/MAC-Based_Access_Control_Using_Mic...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Brash
Kind of a big deal
Kind of a big deal
‎May 29 2024 5:43 PM
‎May 29 2024 5:43 PM

An option that might work...
 - Create a VLAN and assign a group policy to it that denies all traffic. Set this VLAN on the SSID.

 - Once the device has connected, manually change the group policy of that device to one which allows network traffic.

IvanJukic
Meraki Employee All-Star Meraki Employee All-Star
Meraki Employee All-Star
‎May 29 2024 5:45 PM
‎May 29 2024 5:45 PM

Hi @jperez_netics

 

What about Layer 2/3 LAN isolation? Client that connect to a "blocked SSID", can be denied (except, DNS and DHCP, which you can controll anyway) to local netwoks. 

 

 

'Deny Local LAN' settings in Cisco Meraki MR firewall

https://documentation.meraki.com/MR/Firewall_and_Traffic_Shaping/'Deny_Local_LAN'_settings_in_Cisco_...

 

 

 

 


Cheers,

Ivan Jukić,
Meraki APJC

If you found this post helpful, please give it kudos. If it solved your problem, click "accept as solution" so that others can benefit from it.
0 Kudos
christy2951hern
New here
‎May 30 2024 11:38 PM
‎May 30 2024 11:38 PM

You're right, most traditional Wi-Fi access points (APs) don't offer the functionality of blocking by default and allowing by exception for MAC addresses within an SSID (Service Set Identifier). However, there are alternative approaches to achieve a similar outcome. ny state of health
MAC Filtering with Open Network (Least Secure) This method involves creating an open Wi-Fi network (no password) and restricting access only to authorized MAC addresses through the router/access point's settings.
This approach is not recommended for secure environments as anyone can connect and potentially see network traffic if they have the authorized device's MAC address.

0 Kudos
Back to the top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.