Setting up an MR44 to allow only a few clients using MAC address filtering

Solved
SCampisi
Just browsing

Setting up an MR44 to allow only a few clients using MAC address filtering

I am needing to setup secure access to a wireless network and i have three tablets that i want to access the network, but no other devices of any type.  I thought i would be able to just allow a few MAC addresses and that would be done, but i dont find that functionality in the admin on the dashboard.  I saw a post telling me to setup a layer 3 rule blocking all access, and then whitelist the tablets individualy but that seems odd to me and seems a backwards way to do this.  is thre a simpler way?  i am having trouble setting up a rule that blocks all devices given that there is  a default rule that i can't delete that allows all traffic.

 

Can anyone help?

1 Accepted Solution
Russ_B
Getting noticed

@SCampisi- You don't need to delete or change the default rule.  The rules are processed top down, so when you add a new rule for the SSID and set it to Deny Any Protocol to Any Destination that will be the top rule.

 

At this point, your clients would be able to connect, but not access anything.

 

Then you could go to Network Wide/Clients, click the check box for the clients you want to allow, then drop down the Policy box and add them to the Allow list.

 

I just tested this in the lab here and it seemed to work as expected.

View solution in original post

6 Replies 6
ww
Kind of a big deal
Kind of a big deal

What you described should be working.

The other option is using a radius server.

 

If its just 1 or a few AP you could filter mac on a switch port, if your switch support it.

Russ_B
Getting noticed

@SCampisi- You don't need to delete or change the default rule.  The rules are processed top down, so when you add a new rule for the SSID and set it to Deny Any Protocol to Any Destination that will be the top rule.

 

At this point, your clients would be able to connect, but not access anything.

 

Then you could go to Network Wide/Clients, click the check box for the clients you want to allow, then drop down the Policy box and add them to the Allow list.

 

I just tested this in the lab here and it seemed to work as expected.

BlakeRichardson
Kind of a big deal
Kind of a big deal

Bear in mind MAC filtering isn't totally secure as MAC addresses can be spoofed. 

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
Aaron_Wilson
A model citizen

What Blake said. For wireless you really want to avoid any MAC based filtering/access. You can see the MAC for any wireless device, as because of this anyone could spoof and gain immediate access to the network.

SCampisi
Just browsing

thanks for all the information. 

 

i agree that mac filtering is a potentially, unsecure option, but unfortunately, i am setting up a network for a franchise and i am forced to setup the wiri based on their mandates.

 

MAC filtering

ambiguous hidden SSID

Strong wifi password on rotation.

 

i had considered using the meraki authentication and then wwhitelisting the macs, but that option seems to bypass the wifi auth and so it doesn't meet my requirements.  is anyone using the meraki auth?

 

 

 

Aaron_Wilson
A model citizen

If they are using WPA2/3 passwords, that great. Hiding SSID and MAC filtering is mostly to keep away the non-tech people who likely do not pose a threat to begin with.

 

Good to hear passwords are being used.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels