Configure MAC-based access by creating group policies

Sandra_Linares
Here to help

Configure MAC-based access by creating group policies

Hello!

 

In a network that only has an MS120-8FP switch and 2 MR46 APs installed, would it be possible to use a group policy to perform MAC filtering or I need a MX64?

 

I have configured in Wireless -> Firewall & Traffic shaping a rule denying all traffic like in the photo shows.

 

Sandra_Linares_0-1649092659982.png

Is it enough for implementing MAC filtering? This option has not been tested yet, I'll try it tomorrow.

 

Thanks

9 Replies 9
alemabrahao
Kind of a big deal
Kind of a big deal

Do you want to enable MAB on Wireless?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Sandra_Linares
Here to help

Hello!

 

I want to enable a MAC filtering in anyway. I've seen 2 ways:

 

1. Enable MAB in association but I need a RADIUS server.

2. Configure a 3 Lay rule and apply a group policy but I don't have a MX installed in the network. 

 

I would like to use the second option but I don't know if it is possible without a MX.

 

Thanks.

alemabrahao
Kind of a big deal
Kind of a big deal

To use MAB on wireless a Radius server is required. To use on the LAN segment you can use a allow list on each port:

 

alemabrahao_0-1649098015428.png

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Sandra_Linares
Here to help

Ok, I want to use in wireless devices.

 

Thanks

alemabrahao
Kind of a big deal
Kind of a big deal

For a wireless device, you can assign a group policy by device type. And just allow clients that do you want to use the wireless on a different group policy.

 

alemabrahao_0-1649098521548.png

 

alemabrahao_1-1649098626908.png

 

I have never tested It before, but I can test and share the results.

 

 

 

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Sandra_Linares
Here to help

Thank you so much. I'll try to test it tomorrow.

Russ_B
Getting noticed

I would make the Deny rule for all traffic, not just Local LAN.  Then for the clients you want to have access, you would go to Network Wide, Clients, check the box for the client you want to allow access, choose Policy at the top, and add them to the Allow List.

 

Keep in mind that this method isn't very secure, since MAC addresses can be spoofed.

 

This topic has some good info on a couple of different approaches and screenshots:

Solved: Restrict access by PSK and MAC? - The Meraki Community

 

Russ

 

Sandra_Linares
Here to help

Ok, I'll change this configuration parameter in the Deny Rule.

 

Thank you!

PhilipDAth
Kind of a big deal
Kind of a big deal

You can use iPSK on the SSID without RADIUS for up to 50 clients.

https://documentation.meraki.com/MR/Encryption_and_Authentication/IPSK_Authentication_without_RADIUS 

Get notified when there are additional replies to this discussion.