Keeping my SSID's secure without an AD

  • 1
  • Question
  • Updated 3 years ago
We are a 1:1 school district with Apple. We have 1600 devices across 3 campuses. We also heavily utilize Google Apps for Education, faculty and students alike. We have ZERO need for an active directory. We manage all the users in the Google Apps domain, and we manage the macbooks and iPads with Profile Manager, Meraki, and ARD.

Our issue: Keychain Access on Macbooks allow students to see the SSID password. They are administrators of their machines, but install profiles limit many of their abilities. Keeping an SSID password secure is next to impossible. 

How can we secure our SSID's? We have 3. Staff, Student, and Guest. Each are on different VLANS. 

I was thinking about MAC address filtering, but putting that many addresses on the AP doesn't seem ideal, it's also the LEAST secure way of doing anything. I really do not want to have to create and manage an Active/Open directory. 

I apologize for my ignorance, but I really don't see how else to do it. 

Other appliances for consideration are a barracuda 610 web filter, and x300 firewall.  The firewall is my current DHCP. There does NOT appear to be a way on it to blacklist/whitelist MAC's to VLANS. Obviously, I just want students to be able to access the Student SSID. Each SSID is filtered differently in the barracuda web filter via ip groups. 

Any thoughts?
Photo of Justin


  • 1 Post
  • 0 Reply Likes

Posted 3 years ago

  • 1
Photo of James Watson

James Watson

  • 70 Posts
  • 8 Reply Likes
I am also in exactly the same boat as you, and would like to know this answer. Justin, also consider adding a plus one to this request:
Photo of Jonas Dekkers

Jonas Dekkers

  • 149 Posts
  • 29 Reply Likes
Create a ppsk for every machine and limit that the ppsk can only used by 1 machine with mac binding. You can make a csv for this import.
Photo of Anjanesh Babu

Anjanesh Babu

  • 68 Posts
  • 7 Reply Likes
if you already have an Google Apps domain , why not try use this as your radius database ?

option 1. Use a third party supplier that integrates with your Google Apps domain and you 802.1x to this third party.

Examples are Cloudessa and Ironwifi

Option 2. Build your own radius server that authenticates against Google Apps

example ( note this requires PAP authentication which is relatively insecure)

Please don't even think of MAC addrress filtering - Aerohive only supports upto 256 addresses per SSID so no point taking that route with your numbers.

hope this helps - would be interesting to see how your end solution works.

Good luck.
Photo of Dianne Dunlap

Dianne Dunlap

  • 75 Posts
  • 15 Reply Likes
If you used AD for 802.1x with vlan assignment, you could also sync AD with google through GADS and GAPS.   You can do wild-card allow/deny in NPS with mac authentication and powershell to bulk import mac addresses.  Or do Freeradius.