Buy or Renew
Buy or Renew
NEW: Try the Beta AI Summary feature on posts in the Routing and SD-WAN forum. Click to go to the forum.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3353
Views
2
Helpful
6
Replies

Limiting personal devices

Go to solution
RandyK1
Community Member

‎09-19-2023 02:04 PM

Unfortunately , the employee wifi password was shared with employees prior to my arrival . We now have a lot of personal devices connecting. What is the best method to resolve this? We have Azure AD

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
leewalhovd
Cisco Employee
Cisco Employee
In response to RandyK1

‎09-20-2023 09:56 AM

802.1x auth can use many things to validate a device, for example, certificates on the device. Depending on control, or lack of control of the devices would determine what is appropriate. If you don't keep the certificate from users, as in they have admin access to the devices certificate authentication won't guarantee they can't move the certificate to another device to authenticate.
https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_RADIUS_Authentication_with_WPA2-Enterprise#User_vs._Machine_Authentication

View solution in original post

0 Helpful
6 Replies 6

Go to solution
MerakiGnome
Meraki Community All-Star
Meraki Community All-Star

‎09-19-2023 02:44 PM

Change the password.

Darren OConnor
https://www.linkedin.com/in/darrenoconnor
0 Helpful

Go to solution
leewalhovd
Cisco Employee
Cisco Employee
In response to MerakiGnome

‎09-19-2023 04:03 PM

I would convert the SSID to an IPSK without radius with a new and old PSK and remove the old password after an audit of the clients. Any device that is connecting to the Old PSK will stop working once the IPSK is removed that covers the old PSK. It's a nice way to rotate passwords without breaking connections entirely.
https://documentation.meraki.com/MR/Encryption_and_Authentication/IPSK_Authentication_without_RADIUS

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP

‎09-19-2023 03:06 PM

I would go one step further than @DarrenOC

Either move to 802.1X or, if you want to keep PSKs, push the passphrase to the clients with an MDM. That way the users can not read the password.

In addition to that, allow the users to connect their personal devices with a different SSID/profile with reduced connectivity to your internal network.

--
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

Go to solution
RandyK1
Community Member
In response to Karsten Iwen

‎09-20-2023 09:41 AM

What solution for 802.1 x would stop the employees from just using their phone and authenticate there

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to RandyK1

‎09-20-2023 09:50 AM

Nothing when using Username/PW. But you would see which devices belong to which user and could issue "corrective actions" (whatever this will be). With certificates, the amount of criminal energy of the user will be much higher.

--
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

Go to solution
leewalhovd
Cisco Employee
Cisco Employee
In response to RandyK1

‎09-20-2023 09:56 AM

802.1x auth can use many things to validate a device, for example, certificates on the device. Depending on control, or lack of control of the devices would determine what is appropriate. If you don't keep the certificate from users, as in they have admin access to the devices certificate authentication won't guarantee they can't move the certificate to another device to authenticate.
https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_RADIUS_Authentication_with_WPA2-Enterprise#User_vs._Machine_Authentication

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card