https://community.cisco.com/t5/wireless/restrict-access-by-mac-address-in-ssid-all-clients-blocked-by/m-p/5493073#M299259 <P>Not directly on the SSID, you would need a Radius server to restrict it this way.</P><P><A href="https://documentation.meraki.com/MR/Encryption_and_Authentication/Enabling_MAC-based_access_control_on_an_SSID" target="_blank" rel="noopener nofollow noreferrer">https://documentation.meraki.com/MR/Encryption_and_Authentication/Enabling_MAC-based_access_control_on_an_SSID</A></P><P><A href="https://documentation.meraki.com/MR/Encryption_and_Authentication/MAC-Based_Access_Control_Using_Microsoft_NPS_-_MR_Access_Points" target="_blank" rel="nofollow noopener noreferrer">https://documentation.meraki.com/MR/Encryption_and_Authentication/MAC-Based_Access_Control_Using_Microsoft_NPS_-_MR_Access_Points</A></P> Wed, 29 May 2024 20:53:28 GMT aleabrahao 2024-05-29T20:53:28Z https://community.cisco.com/t5/wireless/restrict-access-by-mac-address-in-ssid-all-clients-blocked-by/m-p/5493072#M299258 <P>as far as i know, if an endpoint connect to the wireless network, i can then restrict the access using device policy and choosing normal, block or allow</P><P>what the customer wants is exactly that function but backwards, i mean, if we can set device policy on block by default for any new users and manually put them in allow or normal, is this possible?</P><P>i tried to do that but i think that i'm missing something or it can't be done the way they want</P> Wed, 29 May 2024 20:46:17 GMT https://community.cisco.com/t5/wireless/restrict-access-by-mac-address-in-ssid-all-clients-blocked-by/m-p/5493072#M299258 jperez netics 2024-05-29T20:46:17Z https://community.cisco.com/t5/wireless/restrict-access-by-mac-address-in-ssid-all-clients-blocked-by/m-p/5493073#M299259 <P>Not directly on the SSID, you would need a Radius server to restrict it this way.</P><P><A href="https://documentation.meraki.com/MR/Encryption_and_Authentication/Enabling_MAC-based_access_control_on_an_SSID" target="_blank" rel="noopener nofollow noreferrer">https://documentation.meraki.com/MR/Encryption_and_Authentication/Enabling_MAC-based_access_control_on_an_SSID</A></P><P><A href="https://documentation.meraki.com/MR/Encryption_and_Authentication/MAC-Based_Access_Control_Using_Microsoft_NPS_-_MR_Access_Points" target="_blank" rel="nofollow noopener noreferrer">https://documentation.meraki.com/MR/Encryption_and_Authentication/MAC-Based_Access_Control_Using_Microsoft_NPS_-_MR_Access_Points</A></P> Wed, 29 May 2024 20:53:28 GMT https://community.cisco.com/t5/wireless/restrict-access-by-mac-address-in-ssid-all-clients-blocked-by/m-p/5493073#M299259 aleabrahao 2024-05-29T20:53:28Z https://community.cisco.com/t5/wireless/restrict-access-by-mac-address-in-ssid-all-clients-blocked-by/m-p/5493074#M299260 <P>An option that might work...<BR /> - Create a VLAN and assign a group policy to it that denies all traffic. Set this VLAN on the SSID.</P><P> - Once the device has connected, manually change the group policy of that device to one which allows network traffic.</P> Thu, 30 May 2024 00:43:29 GMT https://community.cisco.com/t5/wireless/restrict-access-by-mac-address-in-ssid-all-clients-blocked-by/m-p/5493074#M299260 Brash 2024-05-30T00:43:29Z https://community.cisco.com/t5/wireless/restrict-access-by-mac-address-in-ssid-all-clients-blocked-by/m-p/5493075#M299261 <P>Hi <A href="https://community.meraki.com/t5/user/viewprofilepage/user-id/108865">@jperez netics</A>, </P><P>What about Layer 2/3 LAN isolation? Client that connect to a "blocked SSID", can be denied (except, DNS and DHCP, which you can controll anyway) to local netwoks. </P><P><STRONG>'Deny Local LAN' settings in Cisco Meraki MR firewall</STRONG></P><P><A href="https://documentation.meraki.com/MR/Firewall_and_Traffic_Shaping/'Deny_Local_LAN'_settings_in_Cisco_Meraki_MR_firewall" target="_blank" rel="nofollow noopener noreferrer">https://documentation.meraki.com/MR/Firewall_and_Traffic_Shaping/'Deny_Local_LAN'_settings_in_Cisco_Meraki_MR_firewall</A></P> Thu, 30 May 2024 00:45:03 GMT https://community.cisco.com/t5/wireless/restrict-access-by-mac-address-in-ssid-all-clients-blocked-by/m-p/5493075#M299261 IvanJukic 2024-05-30T00:45:03Z https://community.cisco.com/t5/wireless/restrict-access-by-mac-address-in-ssid-all-clients-blocked-by/m-p/5493076#M299262 <P>You're right, most traditional Wi-Fi access points (APs) don't offer the functionality of blocking by default and allowing by exception for MAC addresses within an SSID (Service Set Identifier). However, there are alternative approaches to achieve a similar outcome. <FONT color="#FFFFFF"><A href="https://www.ny-stateofhealth.com/" target="_self" rel="nofollow noopener noreferrer">ny state of health</A></FONT><BR />MAC Filtering with Open Network (Least Secure) This method involves creating an open Wi-Fi network (no password) and restricting access only to authorized MAC addresses through the router/access point's settings.<BR /><SPAN>This approach is not recommended for secure environments as anyone can connect and potentially see network traffic if they have the authorized device's MAC address.</SPAN></P> Fri, 31 May 2024 06:38:00 GMT https://community.cisco.com/t5/wireless/restrict-access-by-mac-address-in-ssid-all-clients-blocked-by/m-p/5493076#M299262 christy2951hernandez 2024-05-31T06:38:00Z