How to Prevent Unauthorised Devices on Your Network

Every device that connects to your network is a potential entry point for attackers. A single rogue laptop, an employee's personal tablet, or an IoT sensor plugged in without authorisation can bypass your firewall, introduce malware, or exfiltrate sensitive data. For UK businesses subject to regulations like the UK GDPR, the Data Protection Act 2018, and industry-specific frameworks such as PCI DSS and NHS Data Security and Protection Toolkit, controlling which devices access your network is not optional — it is a legal and operational imperative.

This guide covers the strategies, technologies, and best practices that UK organisations should adopt to prevent unauthorised devices from connecting to their wired and wireless networks.

The Scale of the Problem

The proliferation of connected devices in the workplace has exploded over the past decade. It is no longer just company-issued laptops and desktop computers that need network access. Employees bring smartphones, tablets, and smartwatches. Facilities teams deploy IoT sensors for temperature, humidity, and occupancy monitoring. Marketing departments install digital signage. Meeting rooms have wireless presentation systems. Security cameras, printers, VoIP phones, and building management systems all demand connectivity.

In a typical UK office of 200 employees, you might find 800 or more connected devices on any given day. Without proper controls, any one of these could be an unauthorised device — a personal laptop with outdated antivirus, a rogue wireless access point set up by a well-meaning employee, or worse, a device deliberately placed by an attacker who gained physical access.

That seven percent of unknown or rogue devices is the danger zone. These are devices that have connected to the network without going through any authorisation process. They may be harmless — a contractor's laptop that was not registered — or they may be malicious. Without visibility and control, you simply cannot tell the difference.

Understanding the Risks

Unauthorised devices on your network create several categories of risk that UK businesses must take seriously.

Data Breach and Exfiltration

A device connected to your internal network can potentially access file shares, databases, and internal applications. If that device is compromised, an attacker could exfiltrate customer data, financial records, or intellectual property. Under the UK GDPR, a data breach involving personal data must be reported to the Information Commissioner's Office (ICO) within 72 hours, and fines can reach up to 4% of annual global turnover or £17.5 million, whichever is greater.

Malware Propagation

An unmanaged device with outdated security patches or no endpoint protection can serve as a launching pad for malware. Once on the network, ransomware or worms can spread laterally to other devices, potentially crippling operations. The WannaCry attack of 2017 demonstrated this devastating potential, affecting NHS trusts across England and causing an estimated £92 million in damages.

Regulatory Non-Compliance

Beyond GDPR, UK businesses in regulated sectors face additional requirements. PCI DSS mandates network segmentation and access controls for any environment handling card payment data. The NHS Data Security and Protection Toolkit requires healthcare organisations to control device access. Cyber Essentials — the UK government's baseline security certification — explicitly requires that organisations control which devices can connect to their networks.

Operational Disruption

Even without malicious intent, unauthorised devices can cause operational problems. A personal device running bandwidth-intensive applications can saturate a WAN link. A misconfigured device can cause IP address conflicts or DHCP exhaustion. A rogue access point can create co-channel interference, degrading wireless performance for legitimate users.

Network Access Control: The Foundation

Network access control (NAC) is the overarching discipline of determining which devices are permitted to access your network and what level of access they receive. A comprehensive NAC strategy combines multiple technologies and policies to create a layered defence.

802.1X Authentication

IEEE 802.1X is the gold standard for port-based network access control. It requires devices to authenticate before they are granted access to the network, using the Extensible Authentication Protocol (EAP) framework. In a typical 802.1X deployment, the process works as follows.

When a device connects to a switch port or associates with a wireless network, it is placed in an unauthenticated state with no network access. The device (the supplicant) presents credentials — typically a digital certificate or username and password — to the network switch or access point (the authenticator). The authenticator forwards the credentials to a RADIUS server (the authentication server), which validates them against a directory service such as Microsoft Active Directory or Azure AD. If authentication succeeds, the device is granted access to the appropriate VLAN. If it fails, the device remains isolated or is placed on a quarantine VLAN.

For UK businesses, 802.1X provides strong assurance that only authorised devices and users can access the network. It is supported by all major enterprise network vendors including Cisco Meraki, Aruba, Juniper, and Fortinet.

MAC Address Authentication

Some devices — printers, VoIP phones, IoT sensors — cannot perform 802.1X authentication because they lack a supplicant. For these devices, MAC authentication bypass (MAB) provides an alternative. The device's MAC address is checked against a whitelist on the RADIUS server, and if it matches, the device is granted access to a designated VLAN.

MAC authentication is less secure than 802.1X because MAC addresses can be spoofed. However, when combined with network segmentation and monitoring, it provides reasonable control over devices that cannot support certificate-based authentication. We recommend isolating MAB-authenticated devices on a separate VLAN with restricted access to minimise the impact of a spoofed address.

Device Profiling

Modern NAC solutions go beyond simple authentication by profiling connected devices. Profiling examines characteristics such as the device's operating system, MAC address vendor prefix (OUI), DHCP fingerprint, HTTP user agent, and network behaviour to classify it. A device that authenticates as a printer but behaves like a laptop can be flagged for investigation.

Cisco Identity Services Engine (ISE) and Meraki's built-in device profiling are examples of solutions that provide this capability. Profiling adds an important layer of defence, particularly against MAC spoofing attacks, and helps IT teams maintain an accurate inventory of connected devices.

Implementing Controls with Cisco Meraki

Cisco Meraki's cloud-managed platform offers a comprehensive suite of tools for preventing unauthorised device access. Here is how to leverage them effectively.

Wired Network Controls

Meraki MS switches support 802.1X and MAB authentication on every port. Configuration is managed centrally through the Meraki dashboard, making it straightforward to deploy across multiple UK sites. You can define access policies that specify whether a port uses 802.1X, MAB, or a combination (802.1X with MAB fallback for non-supplicant devices). Each policy can assign devices to specific VLANs based on their authentication status and group membership.

Wireless Network Controls

Meraki MR access points support WPA2/WPA3-Enterprise with 802.1X authentication, ensuring that only devices with valid credentials can associate with the corporate SSID. For guest access, Meraki offers a captive portal with customisable splash pages, time-limited access, and bandwidth throttling. You can also create separate SSIDs for BYOD devices, IoT equipment, and contractors, each with its own VLAN assignment and firewall rules.

Adaptive Policy and Group-Based Access

Meraki's adaptive policy feature allows you to define access rules based on device groups rather than IP addresses or VLANs. For example, you can create a policy that allows devices in the "Corporate Laptops" group to access all internal resources, whilst devices in the "IoT Sensors" group can only communicate with a specific cloud platform. This approach simplifies management and ensures that even if a device moves between sites, its access permissions follow it.

Rogue Access Point Detection

Meraki MR access points continuously scan the wireless spectrum for rogue access points — unauthorised devices broadcasting an SSID that could be used for evil twin attacks. When a rogue AP is detected, it is displayed in the Meraki dashboard with details including its MAC address, the channels it is using, and the SSIDs it is broadcasting. You can configure alerts to notify your IT team immediately.

Control Method	Wired	Wireless	Security Level	Best For
802.1X with certificates	Yes	Yes	Very High	Corporate devices
802.1X with credentials	Yes	Yes	High	User authentication
MAC authentication bypass	Yes	Yes	Medium	IoT, printers, phones
Pre-shared key (PSK)	No	Yes	Low-Medium	Guest or BYOD networks
Captive portal	No	Yes	Low	Guest access
Adaptive policy	Yes	Yes	High	Group-based segmentation

Network Segmentation

Even with authentication controls in place, network segmentation is essential. Segmentation divides your network into isolated zones, limiting the blast radius if an unauthorised device does gain access. At a minimum, UK businesses should maintain separate segments for corporate devices, guest access, IoT equipment, and server infrastructure.

VLANs are the most common segmentation mechanism. Each VLAN operates as a separate broadcast domain, and inter-VLAN traffic is controlled by firewall rules on the router or MX appliance. This means that even if an IoT sensor on the IoT VLAN is compromised, it cannot reach your file servers on the corporate VLAN.

For more granular control, consider micro-segmentation using Meraki's adaptive policy or a dedicated solution like Cisco TrustSec. Micro-segmentation applies access rules at the individual device or group level, regardless of VLAN membership, providing fine-grained control over east-west traffic within your network.

BYOD Policies and Management

Bring Your Own Device policies are common in UK businesses, and they present unique challenges for network access control. Employees expect to use their personal devices for work, but these devices are outside the direct control of your IT team. They may run outdated operating systems, lack endpoint protection, or be shared with family members.

A robust BYOD strategy should include the following elements. First, a dedicated BYOD SSID that provides internet access and limited access to cloud applications, but does not permit direct access to internal resources. Second, a device registration process — ideally self-service — that records the device's MAC address and owner. Third, a mobile device management (MDM) solution that can verify device compliance before granting access. Fourth, an acceptable use policy that clearly states what is and is not permitted on the network.

Meraki Systems Manager, Meraki's MDM platform, integrates directly with the wireless and switching infrastructure to enforce compliance. A personal device that fails a compliance check — for example, it is running an outdated operating system or has been jailbroken — can be automatically quarantined or denied access.

Monitoring and Alerting

Prevention is only half the battle. Continuous monitoring ensures that you detect unauthorised devices that slip through your controls. Here are the monitoring capabilities you should deploy.

First, maintain a device inventory. Your NAC solution or network management platform should maintain a real-time inventory of every connected device, including its MAC address, IP address, hostname, operating system, and authentication status. Review this inventory regularly — at least weekly — to identify unfamiliar devices.

Second, configure alerts for new device connections. Most enterprise network platforms, including Meraki, can send alerts when a new device connects to the network for the first time. This is especially important for wired connections, where a new device appearing on a switch port in a server room could indicate physical intrusion.

Third, monitor for anomalous behaviour. A device that suddenly begins scanning multiple IP addresses, generating unusually high volumes of traffic, or attempting to connect to known malicious domains should trigger an investigation. Meraki MX's built-in threat detection and Umbrella integration provide this capability.

Physical Security Considerations

Network access control is not purely a digital problem. Physical security plays a crucial role in preventing unauthorised devices. A locked server room is pointless if an attacker can simply plug a device into an unused switch port in a meeting room or reception area.

Disable unused switch ports. This is one of the simplest and most effective measures you can take. In the Meraki dashboard, you can administratively shut down any port that is not in use, preventing an unauthorised device from obtaining network access simply by plugging in an Ethernet cable.

Lock down physical access to networking equipment. Switches, patch panels, and access points should be in locked cabinets or restricted areas. Cable locks and tamper-evident seals can provide additional assurance. In open-plan offices, consider wall-mounted access points with anti-theft brackets rather than desk-mounted units.

For organisations with visitor access — reception areas, meeting rooms, co-working spaces — ensure that Ethernet ports in these areas are either disabled, placed on a guest VLAN, or protected by 802.1X. A common attack vector is for an individual to plug a small, inconspicuous device into an Ethernet port during a meeting and leave it in place for weeks.

Building a Layered Defence

No single technology prevents all unauthorised device access. The most effective approach is a layered defence that combines multiple controls. Start with 802.1X authentication for all corporate devices, use MAB for devices that cannot support 802.1X, segment your network with VLANs and firewall rules, monitor continuously for new and anomalous devices, and enforce physical security over your infrastructure.

Layer these controls progressively. If you are starting from scratch, begin with wireless controls — they are typically easier to implement and cover the most common attack surface. Once your wireless network is secured, extend 802.1X to your wired network, starting with high-security areas like server rooms and executive offices, and expanding to the rest of the estate over time.

Document your policies and processes. Ensure that every employee understands the BYOD policy and the consequences of connecting unauthorised devices. Include network access control in your staff onboarding process and your annual security awareness training.

Common Pitfalls

Based on our experience with UK businesses, here are the most common mistakes to avoid when implementing network access controls.

First, do not rely solely on MAC address filtering. While MAC filtering provides a basic level of control, MAC addresses are trivially easy to spoof. An attacker who knows the MAC address of a legitimate device — which can be obtained by passively monitoring wireless traffic — can clone it and gain access. MAC filtering should be one layer of your defence, not the only one.

Second, do not forget about the wired network. Many organisations focus their access control efforts on Wi-Fi, overlooking the wired network entirely. A physical Ethernet port in a meeting room, reception area, or open-plan office is just as much of a risk as an unsecured wireless network. Extend your access controls to all wired ports, not just wireless.

Third, plan for exceptions. There will always be devices that do not fit neatly into your authentication framework — a contractor's laptop, a vendor's diagnostic tool, a new IoT device that has not been registered. Have a documented process for handling exceptions that does not involve disabling your security controls. A quarantine VLAN with limited internet access is a good interim solution.

Fourth, keep your device inventory current. An access control system is only as good as its database. If an employee leaves the organisation but their device is not removed from the whitelist, you have a gap. Integrate your NAC solution with your HR and IT asset management systems to ensure that device authorisations are revoked promptly when staff depart.

Conclusion

Preventing unauthorised devices on your network is a fundamental security requirement for any UK business. The combination of regulatory obligations, evolving cyber threats, and the sheer volume of connected devices in modern workplaces makes robust network access control essential. By deploying 802.1X authentication, segmenting your network, implementing BYOD policies, and monitoring continuously, you can dramatically reduce your attack surface and protect your organisation's data, reputation, and operations.

The technologies to achieve this are mature, well-supported, and available from all major enterprise network vendors. The challenge is not technical — it is organisational. It requires commitment from leadership, collaboration between IT and security teams, and ongoing discipline in maintaining policies and monitoring compliance.