Meraki

Community

Wireless Access Control

bluegreene
Here to help
‎Oct 29 2022 4:07 AM
‎Oct 29 2022 4:07 AM

Wireless Access Control

Is there a way to configure access to an SSID based not only on a PSK/User Credentials, but also limit access to certified devices? For example, staff can connect to the corporate SSID using their Active Directory credentials, but only on devices that have been whitelisted by IT with a client-side certificate or MAC address list?

 

If System Manager is a solution, are there alternatives like Windows NPS or FreeRADIUS?

 

Any walkthrough or how-to guides on how to set it up?

Labels:
0 Kudos
6 Replies 6
Brash
Kind of a big deal
Kind of a big deal
‎Oct 29 2022 4:20 AM
‎Oct 29 2022 4:20 AM

These are easily achievable with a RADIUS server such as the ones you mentioned.

There's a decent guide for configuring Meraki with Microsoft NPS. You can then alter the policies for what best works in your environment

https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_RADIUS_Authentication_...

0 Kudos
alemabrahao
Kind of a big deal
Kind of a big deal
‎Oct 29 2022 4:54 AM
‎Oct 29 2022 4:54 AM

For using 802.1x based on the certificate the best option is using 802.1x with EAP-TLS:

 

https://documentation.meraki.com/MR/Encryption_and_Authentication/Creating_a_Policy_in_NPS_to_suppor...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
alemabrahao
Kind of a big deal
Kind of a big deal
‎Oct 29 2022 5:57 AM
‎Oct 29 2022 5:57 AM

You can also use MAB:

 

https://documentation.meraki.com/MR/Encryption_and_Authentication/MAC-Based_Access_Control_Using_Mic...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
bluegreene
Here to help
‎Nov 1 2022 3:45 AM
‎Nov 1 2022 3:45 AM

We'll save MAB as a last resort.  I am not a fan of the way Microsoft handles MAB authentication with NPS.  500+ additional AD accounts to manage would be a management overhead nightmare.  Pushing certificates to devices enrolled in our MDM is much more manageable.

 

Thanks!

0 Kudos
In response to alemabrahao
bluegreene
Here to help
‎Nov 1 2022 3:43 AM
‎Nov 1 2022 3:43 AM

We'll give this a try and report back.  Thanks!

0 Kudos
In response to bluegreene
bluegreene
Here to help
‎Nov 1 2022 1:15 PM
‎Nov 1 2022 1:15 PM

We're still testing but this appears to be working.  Allowing domain joined machines to join.

 

How do we go about doing the same on iOS and iPadOS devices?  We currently use Intune as or MDM.

 

Thanks!

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2025 Cisco Systems, Inc.