Meraki

Community

Setting up an MR44 to allow only a few clients using MAC address filtering

Solved
SCampisi
Just browsing
‎Aug 31 2021 6:50 AM
‎Aug 31 2021 6:50 AM

Setting up an MR44 to allow only a few clients using MAC address filtering

I am needing to setup secure access to a wireless network and i have three tablets that i want to access the network, but no other devices of any type.  I thought i would be able to just allow a few MAC addresses and that would be done, but i dont find that functionality in the admin on the dashboard.  I saw a post telling me to setup a layer 3 rule blocking all access, and then whitelist the tablets individualy but that seems odd to me and seems a backwards way to do this.  is thre a simpler way?  i am having trouble setting up a rule that blocks all devices given that there is  a default rule that i can't delete that allows all traffic.

 

Can anyone help?

0 Kudos
1 Accepted Solution
Russ_B
Getting noticed
‎Aug 31 2021 8:51 AM
‎Aug 31 2021 8:51 AM

@SCampisi- You don't need to delete or change the default rule.  The rules are processed top down, so when you add a new rule for the SSID and set it to Deny Any Protocol to Any Destination that will be the top rule.

 

At this point, your clients would be able to connect, but not access anything.

 

Then you could go to Network Wide/Clients, click the check box for the clients you want to allow, then drop down the Policy box and add them to the Allow list.

 

I just tested this in the lab here and it seemed to work as expected.

View solution in original post

0 Kudos
6 Replies 6
ww
Kind of a big deal
Kind of a big deal
‎Aug 31 2021 8:25 AM
‎Aug 31 2021 8:25 AM

What you described should be working.

The other option is using a radius server.

 

If its just 1 or a few AP you could filter mac on a switch port, if your switch support it.

0 Kudos
Russ_B
Getting noticed
‎Aug 31 2021 8:51 AM
‎Aug 31 2021 8:51 AM

@SCampisi- You don't need to delete or change the default rule.  The rules are processed top down, so when you add a new rule for the SSID and set it to Deny Any Protocol to Any Destination that will be the top rule.

 

At this point, your clients would be able to connect, but not access anything.

 

Then you could go to Network Wide/Clients, click the check box for the clients you want to allow, then drop down the Policy box and add them to the Allow list.

 

I just tested this in the lab here and it seemed to work as expected.

0 Kudos
In response to Russ_B
BlakeRichardson
Kind of a big deal
Kind of a big deal
‎Aug 31 2021 8:32 PM
‎Aug 31 2021 8:32 PM

Bear in mind MAC filtering isn't totally secure as MAC addresses can be spoofed. 

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Kudos
In response to BlakeRichardson
Aaron_Wilson
A model citizen
‎Sep 1 2021 7:32 PM
‎Sep 1 2021 7:32 PM

What Blake said. For wireless you really want to avoid any MAC based filtering/access. You can see the MAC for any wireless device, as because of this anyone could spoof and gain immediate access to the network.

0 Kudos
In response to Aaron_Wilson
SCampisi
Just browsing
‎Sep 2 2021 7:15 AM
‎Sep 2 2021 7:15 AM

thanks for all the information. 

 

i agree that mac filtering is a potentially, unsecure option, but unfortunately, i am setting up a network for a franchise and i am forced to setup the wiri based on their mandates.

 

MAC filtering

ambiguous hidden SSID

Strong wifi password on rotation.

 

i had considered using the meraki authentication and then wwhitelisting the macs, but that option seems to bypass the wifi auth and so it doesn't meet my requirements.  is anyone using the meraki auth?

 

 

 

0 Kudos
In response to SCampisi
Aaron_Wilson
A model citizen
‎Sep 2 2021 7:47 AM
‎Sep 2 2021 7:47 AM

If they are using WPA2/3 passwords, that great. Hiding SSID and MAC filtering is mostly to keep away the non-tech people who likely do not pose a threat to begin with.

 

Good to hear passwords are being used.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.