topic Re: BYOD - Wireless in Wireless

BYOD - Wireless

nstr1 — Tue, 24 Feb 2026 21:09:44 GMT

Hello community,

Context: I have a Meraki wireless network integrated with an Active Directory, using 802.1x authentication. Employees connect to the wireless network using their domain username and password.

Employees connect a laptop and a cell phone provided by the company to this wireless network.

However, employees also connect their cell phones, tablets, or other personal devices to this 802.1x network. (For network security reasons, these devices should not be connected.)

I considered 802.1x + MAC filtering, but it's not an option due to the large number of MAC addresses.

Is there any way to prevent personal devices from connecting to the 802.1x network, or are there any other alternatives?

Re: BYOD - Wireless

Rasmus Hoffmann Birkelund — Tue, 24 Feb 2026 21:21:47 GMT

The only way to avoid personal devices connecting to a network with PEAP, is to not use PEAP for network authentication.

Managed devices should use EAP-TLS, with machine certificates issued from your CA.

Re: BYOD - Wireless

BlakeRichardson — Tue, 24 Feb 2026 21:27:00 GMT

What I would do is create a group policy within your Meraki dashboard for company owned devices. Then import the device MAC and assign it to the group policy. Have everything else outside of that policy be put onto a guest VLAN.

Re: BYOD - Wireless

aleabrahao — Tue, 24 Feb 2026 22:55:14 GMT

You can also use a MDM solution like Microsoft Intne.

Re: BYOD - Wireless

Philip D'Ath — Tue, 24 Feb 2026 23:11:52 GMT

EAP-TLS is the best solution.

You can deploy a Microsoft CA server (included with Windows Server), create a group policy to automatically deploy certificates to AD members, and configure the WiFi to use those certificates.

Getting the certificates onto mobile devices using this solution is difficult; you need an MDM. You could use a separate SSID for the mobile devices that only provides Internet access.

If you *really* want to stick with PEAP, you could create an AD group policy that allows only "machine" authentication to the SSID. Then tell NPS to only allow "Domain Computers".

You could authenticate the mobile devices onto a separate SSID that only provides Internet access, which allows AD username and password.

You could also use NPS to push a VLAN tag. "Domain Computers" go onto one [internal] VLAN, "Domain Users" go into another VLAN (with Internet only access).

Re: BYOD - Wireless

Brash — Wed, 25 Feb 2026 00:12:25 GMT

As stated above, the best approach is to use EAP-TLS and issue certificates to your corporate devices only.

Re: BYOD - Wireless

nstr1 — Wed, 25 Feb 2026 02:09:44 GMT

That's sound good, but i need avoid manage MAC address, i appreciate you post.

Re: BYOD - Wireless

nstr1 — Wed, 25 Feb 2026 19:13:10 GMT

I like that idea.

Re: BYOD - Wireless

nstr1 — Wed, 25 Feb 2026 19:14:24 GMT

I like that idea; I've been looking into it more and it seems interesting.