BYOD - Wireless

nstr1 · ‎02-24-2026

Hello community,

Context: I have a Meraki wireless network integrated with an Active Directory, using 802.1x authentication. Employees connect to the wireless network using their domain username and password.

Employees connect a laptop and a cell phone provided by the company to this wireless network.

However, employees also connect their cell phones, tablets, or other personal devices to this 802.1x network. (For network security reasons, these devices should not be connected.)

I considered 802.1x + MAC filtering, but it's not an option due to the large number of MAC addresses.

Is there any way to prevent personal devices from connecting to the 802.1x network, or are there any other alternatives?

Rasmus Hoffmann Birkelund · ‎02-24-2026

The only way to avoid personal devices connecting to a network with PEAP, is to not use PEAP for network authentication.

Managed devices should use EAP-TLS, with machine certificates issued from your CA.

#########
LinkedIn ::: https://blog.rhbirkelund.dk/
Like what you see? - Mark as helpful ## Did it answer your question? - Mark it as a Solution 🙂
All code examples are provided as is. Responsibility for Code execution is solely your own.

Philip D'Ath · ‎02-24-2026

EAP-TLS is the best solution.

You can deploy a Microsoft CA server (included with Windows Server), create a group policy to automatically deploy certificates to AD members, and configure the WiFi to use those certificates.

Getting the certificates onto mobile devices using this solution is difficult; you need an MDM. You could use a separate SSID for the mobile devices that only provides Internet access.

If you *really* want to stick with PEAP, you could create an AD group policy that allows only "machine" authentication to the SSID. Then tell NPS to only allow "Domain Computers".

You could authenticate the mobile devices onto a separate SSID that only provides Internet access, which allows AD username and password.

You could also use NPS to push a VLAN tag. "Domain Computers" go onto one [internal] VLAN, "Domain Users" go into another VLAN (with Internet only access).

nstr1 · ‎02-25-2026

I like that idea.

BlakeRichardson · ‎02-24-2026

What I would do is create a group policy within your Meraki dashboard for company owned devices. Then import the device MAC and assign it to the group policy. Have everything else outside of that policy be put onto a guest VLAN.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

nstr1 · ‎02-24-2026

That's sound good, but i need avoid manage MAC address, i appreciate you post.

aleabrahao · ‎02-24-2026

You can also use a MDM solution like Microsoft Intne.

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

nstr1 · ‎02-25-2026

I like that idea; I've been looking into it more and it seems interesting.

Brash · ‎02-24-2026

As stated above, the best approach is to use EAP-TLS and issue certificates to your corporate devices only.