Meraki

Community

SSID config for wireless payment devices

MOmarm
Conversationalist
‎May 29 2020 11:57 AM
‎May 29 2020 11:57 AM

SSID config for wireless payment devices

Hi,

 

Im working on researching the best config/best practice for creating an SID specifically for wireless payment devices. We want to keep the VLAN for these devices isolated from the rest of the network. So these questions are specifically for wireless payment devices Ingenico iSMP4 Companion


1- I want to use MAC based access control that uses RADIUS server. It says there is no encryption for this but im assuming that's just for the authentication part of not, not the actual traffic. Would this be the best option to use for payment devices? 

 

2- What's the difference between MAC based access control and the Enterprise option?
temps.PNG

0 Kudos
7 Replies 7
cmr
Kind of a big deal
Kind of a big deal
‎May 29 2020 12:13 PM
‎May 29 2020 12:13 PM

We use PSK with WPA2, I don't think the Mac based access control has encryption at all for association so MAC addresses can be sniffed and copied, so isn't suitable.  We keep them on a separate VLAN and then out to the acquirer.  They are Ingenico devices and this works well.  Make sure you have the latest devices as the previous gen couldn't roam due to a firmware bug.

If my answer solves your problem please click Accept as Solution so others can benefit from it.
In response to cmr
PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 29 2020 12:36 PM
‎May 29 2020 12:36 PM

How many devices are you taking about and over how many stores? 

 

How many people will be setting them up? 

0 Kudos
In response to PhilipDAth
MOmarm
Conversationalist
‎Jun 1 2020 9:49 AM
‎Jun 1 2020 9:49 AM

We're looking at around 56 devices.
I will be configuring the network part of it and my coworker will be setting up the devices

0 Kudos
In response to PhilipDAth
MOmarm
Conversationalist
‎Jun 18 2020 6:30 AM
‎Jun 18 2020 6:30 AM

Hi. Sorry did you have a suggestion?

0 Kudos
In response to cmr
MOmarm
Conversationalist
‎Jun 18 2020 6:53 AM
‎Jun 18 2020 6:53 AM

Im assuming you use the Layer 3 roaming, do you have a separate VLAN for the payment devices or do you use your data VLAN?

0 Kudos
In response to MOmarm
cmr
Kind of a big deal
Kind of a big deal
‎Jun 18 2020 7:19 AM
‎Jun 18 2020 7:19 AM

We use bridge mode to a VLAN that only has the payment devices on.

If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
RyanNelson_9
New here
3 weeks ago
3 weeks ago


Hi

 

1. MAC-based Access Control with RADIUS
You're right—MAC-based authentication itself isn’t encrypted, but the actual traffic can still be encrypted with WPA2/WPA3. While this setup works for payment devices, consider adding other layers like 802.1X for stronger security, as MAC addresses can be spoofed.

 

2. MAC-based vs. Enterprise Authentication
MAC-based: Authenticates by device MAC address. It’s simpler but less secure.
Enterprise (802.1X): Uses credentials (certificates, usernames) for authentication, offering stronger security and encryption, including during the authentication phase.
For the best security with isolated payment VLANs, Enterprise authentication (802.1X) is the recommended option, though it’s more complex.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.