Buy or Renew
Buy or Renew
NEW: Try the Beta AI Summary feature on posts in the Routing and SD-WAN forum. Click to go to the forum.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10432
Views
8
Helpful
8
Replies

MR authentication with MAC

Go to solution
FrancoRamos5133
Community Member

‎08-05-2019 06:47 PM

Hi I have this client that requires heavy authentication on wireless devices since they have issues of employees giving out password of SSID to unauthorized clients.

Im never new to MX but only more than a year to MR. Upon deploying MR33, I encountered issue(see image below) on MAC based access.

-Does this require server or certain configuration to MX?

-Do I need a Radius server?

further info:

-MX64 is in use

-2units MR33

-client doesn't have Active Directory

image.jpegimage.jpeg

Franco Ramos
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Philip D'Ath
Meraki Community All-Star
Meraki Community All-Star
In response to FrancoRamos5133

‎08-05-2019 08:39 PM

>a radius requires a server or AD server

Correct - it requires a server of some kind. FreeRadius is pretty good - and is free - but still requires a server to run on.

At 50 users, you could use WPA2-Enterprise authentication with Meraki hosted users.

https://documentation.meraki.com/MR/Encryption_and_Authentication/Meraki_Cloud_Hosted_Authentication

This is a very good security solution.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Philip D'Ath
Meraki Community All-Star
Meraki Community All-Star

‎08-05-2019 06:53 PM

MAC based authentication is used in conjunction with a RADIUS server.

https://documentation.meraki.com/MR/Encryption_and_Authentication/Enabling_MAC_based_access_control_on_an_SSID

I didn't realise you can't use a sign on page as well - but it shows that in your screen shot.

If is more common to use WPA2-Enterprise mode. Typically companies authenticate this against Active Directory using the Microsoft NPS service. You should be looking at this option.

https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_RADIUS_Authentication_with_WPA2-Enterprise

You can also use WPA2-Enterprise mode with Meraki Authentication, were you create accounts for users in the portal, but you would only want to do this if you had a small number of users.

If their is no centralised authentication like Active Directory you can also use Meraki Systems Manager using the Sentry option where it deploys certificates onto the devices. This can have a whole lot of pain, so your specific environment would need further consideration.

https://documentation.meraki.com/SM/Deployment_Guides/Systems_Manager_Sentry_Overview

Go to solution
FrancoRamos5133
Community Member
In response to Philip D'Ath

‎08-05-2019 08:30 PM

Hi @Philip D'Ath

thank you for the response. please correct me if Im wrong, based on the meraki documentation, a radius requires a server or AD server? absence of any server that can provide certain certificate for authentication will not make a radius server complete?

for Meraki System Manager, I doubt if the client would use it since its only SMB with less than 50 users. Budgetary concern too.

Franco Ramos
0 Helpful

Go to solution
Philip D'Ath
Meraki Community All-Star
Meraki Community All-Star
In response to FrancoRamos5133

‎08-05-2019 08:39 PM

>a radius requires a server or AD server

Correct - it requires a server of some kind. FreeRadius is pretty good - and is free - but still requires a server to run on.

At 50 users, you could use WPA2-Enterprise authentication with Meraki hosted users.

https://documentation.meraki.com/MR/Encryption_and_Authentication/Meraki_Cloud_Hosted_Authentication

This is a very good security solution.

0 Helpful

Go to solution
FrancoRamos5133
Community Member
In response to Philip D'Ath

‎08-12-2019 07:23 PM

Hi @Philip D'Ath

one last clarification, if I setup the account per user, will the meraki require log-in once connected to any SSID of my MR and will not be able to use the network even if someone knew the password for any SSID?

Franco Ramos
0 Helpful

Go to solution
codenamexe
Level 4
Level 4

‎08-05-2019 07:30 PM

You can control MAC without RADIUS, but it's little complicated.

I'm using sign-on splash page with Meraki authentication. With this configuration, nobody can login to SSID because I didn't make any accounts for normal users(only network admin have Meraki account). And if I want to allow a client to use that SSID, I've added client's MAC as whitelisted client, so client can override SSID's authentication settings thus can use SSID. But if you use this method, you can add less than 2000 clients because of limitation of Meraki's whitelisted client count.

Go to solution
FrancoRamos5133
Community Member
In response to codenamexe

‎08-05-2019 08:55 PM

Hi @codenamexe

Thank you. so this mean I need to manually whitelist clients? would my existing Group Policies be affected? please enlighten me.

Franco Ramos
0 Helpful

Go to solution
BlakeRichardson
Meraki Community All-Star
Meraki Community All-Star
In response to FrancoRamos5133

‎08-05-2019 08:59 PM

If you don't have an onsite server why not look at something like Jumpcloud?

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

Go to solution
codenamexe
Level 4
Level 4
In response to FrancoRamos5133

‎08-05-2019 09:04 PM

There is built-in Whitelisted group and you can add client to it through Clients page.

https://documentation.meraki.com/MR/Group_Policies_and_Blacklisting/Blocking_and_Whitelisting_Clients

image.png

If a client is whitelisted, it will ignore access controls, and always allow to connect network.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card