Skip to main content

 

Cisco Meraki Documentation

How to Block and Allow Clients on a Cisco Meraki Network

  1. Last updated
  2. Save as PDF

Overview

This article explains how to allow list or block a specific client on a Cisco Meraki network. You can configure this on a client-by-client basis, and the change affects the client immediately. 

You can allow list or block clients on these devices: 

You cannot add a client to the allow list or block list on a Cisco Meraki switch.

You configure client policies once a device appears in the network client list. You can also pre-configure a policy for clients that are not yet listed. 

Built-in client policies 

Two built-in policies are available for a client: 

  • Allow list 

  • Blocked 

Normal is the default setting for every client. It subjects the client to all network-wide settings. 

You can also apply group policies to a client. Apply them the same way as the policies described below. 

What the allow list policy does 

An allow-listed client receives the following settings: 

  • Exempt from all firewall rules, both Layer 3 and Layer 7. Applies to the MX Security Appliance and the MR Access Points

  • Bypasses AMP. 

  • Bypasses a Billing (paid access) splash page. The client accesses the network on an SSID without paying or authenticating. 

  • Bypasses a Sign-on splash page without authenticating. Applies to the MX Security Appliance and the MR Access Points

  • Exempt from the Per-client bandwidth limit. Applies to the MX Security Appliance and the MR Access Points

  • Exempt from Traffic shaping rules. Applies to the MX Security Appliance and the MR Access Points

Allow listing previously did not exempt clients from L3 rules. It did exempt them from L7. Now, allow-listed clients are exempt from all firewall rules — L3 and L7. Allow-listed clients do not bypass - restricted YouTube content and IDS/IPS under Security & SD-WAN > Configure > Threat Protection

What the block policy does 

A blocked client receives the following settings: 

  • A firewall rule blocks all communication with other devices on the network. This applies only to traffic that traverses the Cisco Meraki device on which the block is configured. 

  • Blocked Splash Page appears when the user tries to load a web page. 

Prerequisites 

Review the following before you configure client policies: 

  • A Cisco Meraki MX Security Appliance or MR Access Points in your network. You cannot apply these policies on a Cisco Meraki switch. 

  • Access to the Network-wide > Monitor > Clients page on the Cisco Meraki dashboard. 

Client limits 

  • The limit is 3000 clients for allow listing and 3000 clients for blocking. 

  • An error appears when you attempt to allow list or block more than 3000 clients.

The single configuration pane to block and allow list users on the security appliance and the SSIDs is only available on a combined network. For uncombined networks, complete these settings on each dashboard network. 

Step-by-step instructions 

You can allow list or block a client in two ways on the Cisco Meraki dashboard. 

Placing a client on the Block list blocks both LAN and Internet traffic. 

Using the clients list 

  1. Refer to Network-wide > Monitor > Clients

  1. Check the boxes of the clients that you want to allow list or block. 

  1. Select the Policy drop-down above the client list. 

  1. Choose blocked or allow listed

  1. To apply the policy per SSID or only on the MX Security Appliance, select Different policies by connection and SSID

  1. To clear the setting, remove the block list or allow list policy. Then select normal

If you use a splash message when applying a block, limit the message to one paragraph. 

WAN appliance Network-wide Clients Policy List

Adding a client that has not connected 

A client that has never connected to the network can still have a policy applied. The same applies to a client that is not in the client list. 

  1. Refer to Network-wide > Monitor > Clients

  1. Select Add client

  1. Enter a friendly name for the device. 

  1. Enter its MAC address. 

  1. Choose the policy you want to apply. 

  1. Select Save changes

Screenshot showing the option to select all clients with a policy on the clients list page in dashboard

Using the client details page 

The client details page shows the current policy. You can update it here. 

  1. Open the client details page. 

  1. To apply the policy per SSID or only on the MX, select Different policies by connection and SSID

  1. Configure blocked or allow listed per SSID and on the MX Security Appliance

  1. To clear the setting, remove the blocked or allow list policy. Then apply normal

Screenshot showing the option to change the clients policy via the client details page

Verification 

Confirm your configuration was applied successfully: 

  1. Refer to Network-wide > Monitor > Clients

  1. Filter clients to determine which clients have a policy configured. 

To check pre-configured clients: 

  1. Choose to show all clients with a policy. This shows clients you pre-configured but that have not yet been seen on the network. 

  1. If a client does not appear immediately, refresh the page first. 

Troubleshooting 

Review the following behavioral notes and edge cases. 

Blocked client behavior 

  • A blocked device still receives an IP address. It can also resolve DNS names. 

  • The EAP exchange is still allowed for wireless clients. Devices can associate with an SSID. 

  • The block applies to client traffic after the 4-way handshake completes. 

Allow list bandwidth and association behavior 

  • A device is still subject to association requirements and per-SSID bandwidth limits on MR Access Points

  • A device is still subject to Uplink Configuration and Security Filtering on an MX Security Appliance

  • Certain RADIUS attributes assign a bandwidth limit to a client. These include Filter-ID (via a Group Policy), Maximum-Data-Rate-Upstream, and Maximum-Data-Rate-Downstream

  • These RADIUS attributes are considered before any dashboard-assigned configuration. A device is still subject to these bandwidth limits even when allow listed. 

  • View limits applied with the Maximum-Data-Rate-Upstream or Maximum-Data-Rate-Downstream TLVs under the Wireless > Monitor > Splash logins page. 

Template-bound network behavior 

  • If you allow list a device in a network bound to a template, that client is allow listed on all other networks bound to that template. 

  • If you remove the client from the allow list on one bound network, it is removed from the allow list on all others. 

Meraki DHCP behavior 

Security appliance policies have no effect for clients connected to an SSID with Meraki DHCP. The client MAC and IP address get NATed at the MR before reaching the security appliance. 

Site-to-Site VPN firewall rule behavior with group policy 

  • If the Site-to-Site VPN Outbound Firewall Rule allows and the Group Policy L3 denies, traffic is denied. 

  • If the Site-to-Site VPN Outbound Firewall Rule denies and the Group Policy L3 allows, traffic is denied. 

  • If the Site-to-Site VPN Outbound Firewall Rule denies and the Group Policy allow-listed preset is configured, traffic is denied. 

 

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    How-to
    Stage
    Final
  2. Tags
    1. allow list
    2. client device policy
    3. CS_12432