11-17-2023 03:28 PM
I have two SSIDs AP1 and AP2 both of which leverage MAC authentication device list defined under AAA Advanced, Device Authentication. I have defined the Attribute List Name and WLAN profiles specific to each MAC in an attempt to limit the SSID that the device can connect to.
One SSID (AP1) gets the user further authenticated using Windows NPS, while the other (AP2) relies on a static password using WPA all within the Cisco EWC.
My issue is that I want to prevent someone that is already defined in the MAC list and knows the static password from jumping onto AP2. What am I missing with the configuration that is not stopping this from occurring?
11-17-2023 03:41 PM
What wlc you have?
11-17-2023 05:17 PM
I'm using C9115 APs and running them using the Embedded Wireless Controller implementation version 17.9.4.
11-17-2023 10:29 PM
- Jumping or roaming can never be prevented , you can only have WLANs with SSID's each having there (own) authentication schemes (if needed) ,
M.
11-19-2023 01:44 PM
You could look at iPSK and have the AAA server auth policy have the SSID in it.
That way you could say if connecting to SSID AP1 and part of endpoint group containing device MAC then return PSK, if not then return access deny.
Same for the other SSID
11-19-2023 05:33 PM
11-19-2023 10:54 PM
Yes you can define an allowlist for MAC Auth on the PSK SSID to prevent non-legitimate devices from connecting to it, but this could be spoofed for an user with access to free tools and hacking forums if they want to.
Using iPSK on the SSID would be the best way, but using MS NPS is hard to do as the part with MAC Auth relies on user accouint created on the DC. (https://community.meraki.com/t5/Wireless-LAN/iPSK-Configuration-with-Microsoft-NPS/m-p/100983/highlight/true#M14935)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide