Meraki cloud-hosted authentication Users Global

SOLVED
GIdenJoe
Kind of a big deal
Kind of a big deal

Meraki cloud-hosted authentication Users Global

Hi everyone,

Quick question/remark:

I'm a full admin of several organizations so I should see all users in every network in those organizations.

In the following Meraki document: https://documentation.meraki.com/MR/Encryption_and_Authentication/Meraki_Cloud_Hosted_Authentication

It clearly states that: User accounts configured in the Meraki-hosted authentication server are global to the networks in the organization. So, a password change to a user account in one network applies to other networks in which the user account may be used.

When I add an SSID in one network with Open/WPA2-PSK and then login through splash page and do the same for another network, I see the users and can authorize them for each network.
However when I use WPA2-Enterprise on the SSID on the second network, the Users list is empty.

Is there a logic reason why dot1x users are probably in a separate database?

Wouldn't it be better if there was one list of Users for the entire organization and also could be authorized for all the SSID's of the same name in every network?  I know you usually use AD for that, but this company doesn't work with AD at this time.

1 ACCEPTED SOLUTION
PhilipDAth
Kind of a big deal
Kind of a big deal

>Without looking towards the MDM solution, I guess the admins/guest will also be used for the ownership of devices?

 

No.  MDM owners are a seperate entity again.  MDM owners are often only used to denote the owner, but can optionally be used for authentication in the MDM environment as well.


>Is there a reason those dB's are separate? Because I see a big potential for overlapping users without the option to share users between those dB's.

 

The Organization/Network administrators tend to be static.  The guest users tend to turn over much quicker.

 

 

You could always use something external like Active Directory if you like.

View solution in original post

4 REPLIES 4
PhilipDAth
Kind of a big deal
Kind of a big deal

Users have to be authorised for each access type.

 

So you need to authorize that user for WPA2-Enterprise (as well as for splash page access).

@PhilipDAth is right.

 

It's also documented on the Users page:

2019-04-16 07_20_08-Greenshot.png

Hey, I've seen that message popping up with wired authentication policy but not with wireless SSID's.

So if I read your answers correctly Meraki manages two separate users dB's per organization being one for admins (dashboard mgmt, clientVPN) and guests (guest portal, clientVPN) and another purely for dot1x purposes wired and wireless.

Without looking towards the MDM solution, I guess the admins/guest will also be used for the ownership of devices?

Is there a reason those dB's are separate? Because I see a big potential for overlapping users without the option to share users between those dB's.

PhilipDAth
Kind of a big deal
Kind of a big deal

>Without looking towards the MDM solution, I guess the admins/guest will also be used for the ownership of devices?

 

No.  MDM owners are a seperate entity again.  MDM owners are often only used to denote the owner, but can optionally be used for authentication in the MDM environment as well.


>Is there a reason those dB's are separate? Because I see a big potential for overlapping users without the option to share users between those dB's.

 

The Organization/Network administrators tend to be static.  The guest users tend to turn over much quicker.

 

 

You could always use something external like Active Directory if you like.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.