Wireless MAC Address Filtering and User Identification

dromios
Getting noticed

Wireless MAC Address Filtering and User Identification

Hello,

 

I am looking for a solution to implement mac-address filtering along with user identification when a users connect to an SSID.  From what I've read, to identify users Meraki Authentication must be used with a splash page, and LDAP/AD/RADIUS cannot be used.

 

I saw that there was an option to connect via mac-address but that the solution does not offer encryption, which is upsetting.

 

The only thing I've come up with to accomplish these goals is to set a small DHCP scope with hardcoded reservations for users and expand the scope by one any time a new user needs access to the network.  This solution, coupled with splash screen Meraki Authentication seems cumbersome.  I pondered simply renaming the wireless devices with the user's name, which may be a solution, but also cumbersome.

 

Am I going about this the wrong way?  Is there another option out there?

 

Thank you,

 

Doug

3 Replies 3
BrechtSchamp
Kind of a big deal

Check this page:

https://documentation.meraki.com/MR/MR_Splash_Page/Using_a_Sign-on_Splash_Page_to_Restrict_Wireless_...

 

When whitelisting the user's MAC address it should bypass the splash page. You can combine WPA-PSK with splash pages if you need encryption.

 

You can also just use WPA-enterprise, with RADIUS or Meraki Authentication. Unless I'm mistaken, the users will then also be identified. You should see the user they've logged in with in the "user" column (you may need to add the column with the little "+" at the top right.

I'll have to check and see if the users will show up but I remember specifically reading that you need to use Meraki authentication for users to show.  I haven't had much time to play with it given recent circumstances.

WiffiIsBestPHY
Conversationalist

I think the real question here is what security problem are you trying to solve?

 

WPA2 (and 3) enterprise already solves your goal of identifying users by using individual logins instead of a shared key.

 

 

I'm really failing to see how MAC or DHCP based security adds any real security on top of that?

 

If you use WPA2/3 PSK with almost any variety of extra MAC security:

 

1. For outside attackers: WPA2 PSK/enterprise will keep them out for quite a long time.

 

2. For attackers that already have the PSK: Option 1: Anyone with the PSK can decrypt the packets going to other hosts by observing a handshake. You can force a handshake by sending a deauth packet (unless you have 802.11W set to enabled or required) or just wait for a client to connect. Then you can sniff the DHCP traffic and learn the subnet attached to that SSID. The attacker then gives their device a static IP in that subnet. Ta-Da, they are past your DHCP/MAC security.

 

Option 2: the attacker (with the PSK) changes their MAC address to match an attached device. Networking weirdness ensues, but the attacker can probably still access your network.

 

Or, you spin up a RADIUS server like NPS, ISE or freeRADIUS and attach that to where you keep your user accounts. Then each user can only see their own traffic, and you can assign a VLAN or a Group Policy per user or user group.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels