Home > Wireless LAN > Encryption and Authentication > Enabling MAC based access control on an SSID

Enabling MAC based access control on an SSID

 

 

MAC-based access control admits or denies wireless association based on the connecting device’s MAC address. In this authentication method wireless devices use their MAC address as the username and password. Follow the steps below to configure an SSID to require MAC based access control with RADIUS.

Note: To enable MAC-based access control without a RADIUS server, a Sign-on Splash page can be used in a similar fashion

 

1. From Dashboard navigate to Configure > Access control.

2. Select MAC-based access control (no encryption) for Association requirements.

95bbd623-03c1-4637-8385-e62c60e2d290

 

3. For Splash page choose None. Click through splash can be selected if desired.

4. For RADIUS server, click Add a server. Enter the RADIUS server IP address, listening port, and RADIUS shared secret to be used by your APs which are configured RADIUS clients on the server.

c029247f-f321-48dd-bb6f-c82006b6a490

 

5. For Addressing and traffic choose Bridge mode in a VLAN environment. NAT mode could be used without VLANs if desired. 

6. An SSID can bridge wireless devices onto different VLANs. A default SSID VLAN can be set using the VLAN tag drop down. Then by setting the RADIUS response it can override VLAN tag from VLAN override drop down. RADIUS accept messages containing a different VLAN tag will be able to override the default VLAN for the SSID.

ce32a465-1c23-4d2e-b60c-0b98e2a409e0

7. Click Save changes.

MAB authentication fallback to Guest VLAN

 

This feature allows the use of a guest vlan for customers that do not complete authentication or when the RADIUS server is unreachable. A configuration where authenticated devices are desired to be on a designated VLAN and everything else, using the same SSID, would be placed in a Guest VLAN.

 

This configuration can be used with VLAN tagging or without it, meaning the authorized clients can be put in the designated VLAN by VLAN tagging option, or can use the untagged VLAN the AP is using (default behavior without using vlan tagging).

 

This feature is introduced from 27.2 and on

 

In order to configure this feature, a new option can be found on Wireless > Access Control, when MAC-based access control (no encryption) is selected, you will see the following option, where it can be selected  "Use Guest VLAN/Don't use Guest VLAN":

 

Screen Shot 2020-07-07 at 3.38.28 PM.png

Once selected, the option to fill the Guest VLAN information will be displayed where the VLAN ID can be input:

 

Screen Shot 2020-07-07 at 3.41.20 PM.png

 

For example:

 

In an SSID using MAC authentication with a VLAN tagging of 10, using RADIUS Guest VLAN with a Guest VLAN of 1.

 

When a client completes the authentication, meaning the RADIUS server is reachable and it received "Access-Accept" as a result of the authorization process.

 

Screen Shot 2020-07-07 at 3.48.48 PM.png

The client will be put into VLAN 10.

 

However, if the client is rejected or the RADIUS server is unreachable:

 

Screen Shot 2020-07-07 at 3.53.13 PM.png

Then the client will be put into VLAN 1, which is designated as the Guest VLAN.

Last modified

Tags

Classifications

This page has no classifications.

Explore the Product

Click to Learn More

Article ID

ID: 1641

Explore Meraki

You can find out more about Cisco Meraki on our main site, including information on products, contacting sales and finding a vendor.

Explore Meraki

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can keep track of the latest announcements, find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community