Meraki

Community

block personal devices

Lia
Comes here often
‎Jan 4 2018 7:10 AM
‎Jan 4 2018 7:10 AM

block personal devices

Wondering if anyone has done this before and can offer some tips on how to implement a solution...Here's our situation..

 

  • We're mainly a Mac shop with maybe 10-15 Windows users
  • We have our MX32 units set up to use RADIUS and user authentication
  • Mac machines are not domain-bound 

What we need to do:

  • Prevent all non-company devices from connecting to our corporate/internal wifi

What we've looked at:

  • Attempted to block MAC addresses on the RADIUS policy side but Apple does not have a set range of MAC addresses for each of their products
  • Attempted to use Meraki's "apply group policies by device type" setting but failed miserably -- when we tested by blocking all iPhones and Androids from our corporate network, Meraki started flagging all phones and some macbook pros as iPhones and blocked the company laptops from connecting
  • Swap to machine authentication instead of user auth -- cannot do this because the Macs are not domain-bound and can't simply use certs from our CA
  • Swap to machine auth by using Meraki's System Manager -- cannot do because cost and management doesn't want to do anything that cost money....

Only options I see but have not tried:

  • re-bind all Mac clients to the domain and configure machine auth with our CA
  • Set up a SCEP server to hand out certs to perform machine auth since Macs are not domain-bound

If any one has done something similar, could use some pointers. 

0 Kudos
7 Replies 7
BHC_RESORTS
Head in the Cloud
‎Jan 4 2018 9:01 AM
‎Jan 4 2018 9:01 AM

@Lia wrote:

Wondering if anyone has done this before and can offer some tips on how to implement a solution...Here's our situation..

 

  • We're mainly a Mac shop with maybe 10-15 Windows users
  • We have our MX32 units set up to use RADIUS and user authentication
  • Mac machines are not domain-bound 

What we need to do:

  • Prevent all non-company devices from connecting to our corporate/internal wifi

What we've looked at:

  • Attempted to block MAC addresses on the RADIUS policy side but Apple does not have a set range of MAC addresses for each of their products
  • Attempted to use Meraki's "apply group policies by device type" setting but failed miserably -- when we tested by blocking all iPhones and Androids from our corporate network, Meraki started flagging all phones and some macbook pros as iPhones and blocked the company laptops from connecting
  • Swap to machine authentication instead of user auth -- cannot do this because the Macs are not domain-bound and can't simply use certs from our CA
  • Swap to machine auth by using Meraki's System Manager -- cannot do because cost and management doesn't want to do anything that cost money....

Only options I see but have not tried:

  • re-bind all Mac clients to the domain and configure machine auth with our CA
  • Set up a SCEP server to hand out certs to perform machine auth since Macs are not domain-bound

If any one has done something similar, could use some pointers. 

Meraki Systems Manager is what I would use. The "apply by device type" will not work as it is quite inaccurate as you saw. SME licenses when purchased from a good VAR should be around $30-$40 per 3 years per device, which shouldn't be that much.

 

Not an Apple guy, so unfortunately I don't know much about RADIUS options for Apple.

BHC Resorts IT Department
0 Kudos
In response to BHC_RESORTS
Lia
Comes here often
‎Jan 4 2018 9:27 AM
‎Jan 4 2018 9:27 AM

Thanks, unfortunately at $30-40 a device, were looking at roughly $5300/yr and yeah... any increase in budget is a no-no for us. We're not on a team that holds a lot of weight when making recommendations/suggestions to management. I'm a bit hesitant to use System Manager as well since features such as the policy by device type is so inaccurate...have u had good experiences with it?

0 Kudos
In response to Lia
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jan 4 2018 10:50 AM
‎Jan 4 2018 10:50 AM

I can only think of two options.

  • Change over to using certificate based authentication, and control the enrolment process.
  • Block all WiFi devices by default (as in use a layer 3 firewall rule), and then use group policy to over ride that firewall rule and allow approved devices to send traffic.
0 Kudos
In response to Lia
Uberseehandel
Kind of a big deal
‎Jan 5 2018 12:28 AM
‎Jan 5 2018 12:28 AM

@Lia wrote:

Thanks, unfortunately at $30-40 a device, were looking at roughly $5300/yr and yeah... any increase in budget is a no-no for us. We're not on a team that holds a lot of weight when making recommendations/suggestions to management. I'm a bit hesitant to use System Manager as well since features such as the policy by device type is so inaccurate...have u had good experiences with it?

According to a previous poster, the cost is $30-$40 per device for a three year licence. So if annual costs are estimated at $5,300 that is 400 devices. Monthly management cost per device is approximately $1.10. 

 

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
0 Kudos
In response to Lia
Uberseehandel
Kind of a big deal
‎Jan 5 2018 3:25 AM
‎Jan 5 2018 3:25 AM

You may find helpful information here - Apple - Directory Utility: Configure domain access

 

 

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
0 Kudos
jared_f
Kind of a big deal
‎Jan 4 2018 7:21 PM
‎Jan 4 2018 7:21 PM

You could install a WiFi profile on corprate devices to allow them to access your wireless. That would restrict anyone without that profile from accessing. Without an MDM solution, you are real limited on how easy it would be to do.

Find this helpful? Click the kudos button. Thanks!
0 Kudos
In response to jared_f
Lia
Comes here often
‎Jan 5 2018 7:41 AM
‎Jan 5 2018 7:41 AM

we use JAMF as our MDM. I think we'll give this a shot.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.