WPA2 PSK with MAC Address Filter

Solved
Dan_Andolsen
Here to help

WPA2 PSK with MAC Address Filter

I have read through the Meraki's AP configuration guide about MAC address filtering, and see that it only support via "Association requirements" with "no encryption."

 

In non-Meraki, Cisco-based Wi-Fi infrastructure, you can use both WPA2 encrypted data and MAC Address filtering.

 

Does Meraki support Wi-Fi encrypted data configuration and MAC Address filtering?

 

Thanks

 

1 Accepted Solution
CptnCrnch
Kind of a big deal
Kind of a big deal

The „fine manual“ is correct (as almost always): you can have PSK or MAC filtering in Meraki world. Not both.

View solution in original post

4 Replies 4
CptnCrnch
Kind of a big deal
Kind of a big deal

The „fine manual“ is correct (as almost always): you can have PSK or MAC filtering in Meraki world. Not both.

SantiagoGarces
Conversationalist

Meraki currently has MAC filtering through Radius, however there is another method and it is to create a group policy in which you deny everything and to the equipment that you want that if they browse add them to the Full access policy

dromios
Getting noticed

I haven't been able to find documentation on doing MAC address filtering with wifi over radius.  Do you happen to have any documentation or guidance?

colinster
Getting noticed

Here's the proper solution! Meraki has MAC address filtering "built-in" because Policy settings are so easy. Meraki Policy settings are based on the MAC address. A lot of customers have this question. 

 

There are multiple ways to use a client MAC address to authorize access on a PSK encrypted network. I'll order them easy to hard to implement:

 

Solution 1. Enable PSK and Click-through Splash and setup a Custom Hosted Splash page that authorizes based on MAC address. 

https://documentation.meraki.com/MR/MR_Splash_Page/Using_a_Sign-on_Splash_Page_to_Restrict_Wireless_...

 

Solution 2. Enable PSK and Click-through Splash and setup a Custom Hosted Splash page that authorizes based on MAC address. You should consider SplashAccess.com instead of building it yourself.

 

Solution 3. Enable PSK and add a firewall rule for the SSID blocking all access. Then use Meraki's policy settings to apply a whitelist policy or apply a Group Policy but just for devices requiring access.

 

Solutions requiring a RADIUS Server:

 

Solution 4. Enable PSK and Sign-on with my RADIUS server and configure your RADIUS server to authorizes based on a MAC address. Most RADIUS servers can do this. 

 

Solution 5. Enable the new feature Identity PSK with RADIUS and configure your RADIUS server to allow specific MAC addresses.

https://documentation.meraki.com/MR/Encryption_and_Authentication/IPSK_with_RADIUS_Authentication

 

While the previous post accepted as a solution is still sort of correct, you can't choose PSK and "MAC-based auth" at the same time. But MAC based auth / MAB is not the only type of MAC based authentication/authorization. If you DON'T need a PSK, and really want "MAC based auth" you cannot use PSK. This is primarily used with Cisco ISE deployments for guest WiFi. However, I much prefer the built-in Splash page.

https://documentation.meraki.com/MR/Encryption_and_Authentication/Enabling_MAC_based_access_control_...

Colin Lowenberg
wireless engineer and startup founder, formerly known as "the API guy", now I run a Furapi, the therapy dog service, and Lowenberg Labs, an IT consulting company.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels