Restrict access by PSK and MAC?

Solved
WarrenG
Getting noticed

Restrict access by PSK and MAC?

Is it possible to restrict access to a wireless network by requiring both a passphrase and the MAC address being whitelisted?

1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal

You could set the firewall rules to a default "deny any".  Then a user would only get access if they knew both the PSK and you whitelisted them to override the deny.

 

Could you instead use WPA2-Enterprise mode with Meraki authentication?  Then each device would need both a username and a password, and you can disable an individual device easily.

https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring__WPA2-Enterprise_with_... 

 

Another option is to use a unique PSK per device.

https://documentation.meraki.com/MR/Encryption_and_Authentication/IPSK_Authentication_without_RADIUS 

View solution in original post

10 Replies 10
Inderdeep
Kind of a big deal
Kind of a big deal

PhilipDAth
Kind of a big deal
Kind of a big deal

You could set the firewall rules to a default "deny any".  Then a user would only get access if they knew both the PSK and you whitelisted them to override the deny.

 

Could you instead use WPA2-Enterprise mode with Meraki authentication?  Then each device would need both a username and a password, and you can disable an individual device easily.

https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring__WPA2-Enterprise_with_... 

 

Another option is to use a unique PSK per device.

https://documentation.meraki.com/MR/Encryption_and_Authentication/IPSK_Authentication_without_RADIUS 

WarrenG
Getting noticed

It would seem like using a PSK together with MAC address whitelisting should be a pretty simple option. Why is it that while Meraki's interface is very simplified, you can never seem to do the simple things that you might need to do?

PhilipDAth
Kind of a big deal
Kind of a big deal

Once you create the "deny any" rule (just one single rule), it's like 4 mouse clicks (just tried it) to whitelist a client from the client view.

 

I'm not sure how Meraki could make this simpler or easier.

WarrenG
Getting noticed

Okay so I'm trying to track with you here. I create a deny rule on the particular SSID I need to lock down. How do you then whitelist a client from the client view?

PhilipDAth
Kind of a big deal
Kind of a big deal

It's called "Allow" rather than "Whitelist".  You can do it in several places, but the client's view is an easy way to do it.

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Block_Listing_and_All... 

WarrenG
Getting noticed

Okay thanks Philip, I'm going to play with this and see if I can test it successfully. Thanks again for the help.

Paul_H
Meraki Employee
Meraki Employee

Within Wireless - Access Policy "Assign group policies by device type"... then select ALL the types and assign your PSK-ONLY-BLOCK-Group Policy 😉 

 

DashboardDunce_0-1626473949409.png

 

Then within Network-Wide clients page - Add client section to override and assign a group policy to actually allow things 😉 

DashboardDunce_1-1626474141973.png

 

 

WarrenG
Getting noticed

Thanks @Paul_H, I'm going to try Philips method first and will come back to this if I can't get that working. Thanks again!

Paul_H
Meraki Employee
Meraki Employee

Hey @WarrenG !

I've definitely encountered this before and as mentioned above you could leverage a firewall to do it like @PhilipDAth and or leverage @Inderdeep 's ideas as well!

A 3rd option... (because Meraki is SO flexible 😉 ) You can:
--> Create an SSID with PSK and enforce a group policy to be applied that has deny ANY ANY.
--> Under Network-Wide, Clients - Add a client by MAC address
    --> Specify a unique Group Policy that grants access to that client MAC either globally or PER-SSID

--> Sit back like a Dashboard DJ!

Hope that helps as well!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels