I’m standing up a new office, and we’ve decided to go with Meraki all the way from the ISP handoff to the APs - so MX security appliance (MX100), MS switches (MS225s), and MR APs (MR42). I want to use a few VLANS - 4 internal/company based and 2 external based (Guest and an employee Wi-Fi). In past offices, we’ve used MR42 and setup a wireless BSSID 802.1x domain network for domain computers to automatically connect when enter the office/network by way of RADIUS authentication. We used GPO to configure the domain computers and provide the certificate for the RADIUS authentication. Since we only had MR42 and no other Meraki devices, we could use the MR42 Wi-Fi for this setup. Now with the network completely Meraki, I seem to be having issues. I want to continue the 802.1x BSSID domain wireless setup. Now I want to utilize RADIUS and/or LDAP for authenticating users in order to automatically link them to the appropriate VLAN using their security group membership in our AD. I also want to be able to use this combination to dynamically assign the appropriate VLAN for the switch port if they connect using Ethernet. This way, I don’t necessarily need to configure each port based on who is using it. We are moving to a “Hotelling” office so not everyone will be assigned a specific desk and will be changing day to day based on who reserves which desk, etc. So, each desk will be setup with a Ethernet docking station connected to a VoIP phone - so a data passthrough to the computer. Of course we thought this would all be simple by having an all Meraki Network. So, I’ve been trying to utilize Policy Objects, Group Policies, AD Group mapping, RADIUS on APs and through switches and MX device. First question since I’m having RADIUS failure issues with Wi-Fi, should I still use the MR42s as the RADIUS Authenticators and assigning VLAN tagging? Or, should I not do any VLAN tagging (other than the Meraki Guest wifi) or RADIUS at the MR42 and instead attempt to use the MS225 switches and/or MX100 for the Authentication and VLAN assignment? From some of the tracing I’ve been able to do for the MR42 RADIUS failures is that there are multiple RADIUS authentication requests being sent. Oh, we also utilize Azure Conditional Access for multi factor, and I’ve not been able to exclude the office from the MFA verification, and even though I excluded myself from MFA, I still get prompted for verification each time I join an AP and when I move around and join another AP and back again. I have more questions, but this is already too long. What is the best combination of Meraki features to accomplish my goals - RADIUS, VLAN based on user/computer login, computer auto-join BSSID wifi, and utilizing AD security groups for VLAN assignment, etc?
I think the best option is to go with MR46 AP's to start with, since they are running the 802.11ax standard aka WiFi6. Check out the latest MX-firewall series X5, like MX85 and MX95.
Also have a look at the MS390 I think it will leverage a lot of automation that you are looking for. Otherwise MS225 will do the work for 802.1x that you are pointing out.
I would go with a full implementation of 802.1x with EAP-TLS based authentication, if you have a RADIUS-server like Cisco ISE that can handle the authentications and authorizations. Let the RADIUS-server pass on the correct VLAN for the device or user that is connecting to the network.
On the first question: Use the MR accesspoint as the Authenticator, it's the IP-address of the MR that the RADIUS-server get the requests from. The port connected to the MR will be configured as a TRUNK, so the MR will let the clients out on correct VLAN based on the reply and information from RADIUS-server (if I recall correct).
Not sure if RADIUS server like ISE is fully compatible with Azure AD at the moment, I think you will need to go with like ISE 3.0 or ISE 3.1 to get the user attributes.
We don’t have access to an ISE server. We’ll use Windows based server and on prem Domain Controller/AD. I understand the MR devices would be set on Trunk to be able to pass on the correct VLAN for the user. What about hard wired users who will connect to Ethernet which is connected to VoIP phone which is connected to Meraki switch? Right now I have the ports for “Access” with the Voice VLAN enabled. To get these users to the correct VLAN, do the ports need to be configured as a “Trunk” as well? Or would I do something else like, have a “backbone”/Native VLAN set which can access all VLANs and then set the ports as “Access” with that VLAN and then the voice VLAN? Would the switch be able to forward that connection to the correct VLAN while maintaining security between the other VLANs - I.e. no inter-VLAN communication unless rules provided for some to communicate? What settings would I need on MS switches as well as MX security device? Also, maybe as a side note, what then is the purpose of the “Active Directory” setting on the MX100? If enabled, would that take care of establishing to which VLAN users would be singed assigned instead of needing to setup VLAN in RADIUS authentication?