Buy or Renew
Buy or Renew
NEW: Try the Beta AI Summary feature on posts in the Routing and SD-WAN forum. Click to go to the forum.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2755
Views
4
Helpful
4
Replies

Client Authentication using MAC and AD account

Go to solution
ajiang1
Community Member

‎07-21-2024 02:30 AM

I want to control user devices through their MAC address and AD account when accessing the wireless network. That means, to access the wireless network, the device must have its MAC address registered beforehand and log in with the correct AD account. How can I implement this on a Meraki MR device?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ppurroy
Cisco Employee
Cisco Employee

‎07-21-2024 02:40 AM

This is really a function of the Radius server that you are using. If the radius server is able to take into account both factors (MAC + AD account) when deciding to provide or deny access then yes.

Windows built-in radius server (NPS) is not able to do that. This can be performed with more advanced radius servers, such as Cisco ISE or others.


If what you are trying to achieve is that employees login onto wireless (AD auth) only with their corporate issued PCs then I would suggest to use Machine Authentication rather than username/password. With Machine Authentication the Radius server verifies with AD if that machine belongs to the domain. Then the user will be validated when they login into the machine. Assuming that this is a Windows environment.

View solution in original post

4 Replies 4

Go to solution
ppurroy
Cisco Employee
Cisco Employee

‎07-21-2024 02:40 AM

This is really a function of the Radius server that you are using. If the radius server is able to take into account both factors (MAC + AD account) when deciding to provide or deny access then yes.

Windows built-in radius server (NPS) is not able to do that. This can be performed with more advanced radius servers, such as Cisco ISE or others.


If what you are trying to achieve is that employees login onto wireless (AD auth) only with their corporate issued PCs then I would suggest to use Machine Authentication rather than username/password. With Machine Authentication the Radius server verifies with AD if that machine belongs to the domain. Then the user will be validated when they login into the machine. Assuming that this is a Windows environment.

Go to solution
ajiang1
Community Member

‎07-21-2024 08:12 AM

Thank you, Purroy.

0 Helpful

Go to solution
Philip D'Ath
Meraki Community All-Star
Meraki Community All-Star

‎07-21-2024 02:05 PM

Because Meraki group policies are applied based on Mac address, you could set the default Wireless Firewall rule to deny everything, and then create a group policy called something like "Approved", which overrides the firewall rule and allows access, and apply it to every machine that is approved to access the network.

Go to solution
Evgeniy Volokhovich
Community Member
In response to Philip D'Ath

‎02-28-2025 09:19 AM

thanks

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card