SSID, BYOD, Machine Authentication and RADIUS failover

Zak
Here to help

SSID, BYOD, Machine Authentication and RADIUS failover

Dear Experts,

 

Soliciting some opinions:
SSID setup:

We basically have a set of two groups, Student and Staff. Students do not need access to anything else other than the Internet throughout the campus.

Is it recommended to go with two separate SSIDS in this scenario?
School-staff, school-students
Using RADIUS
Separate VLAN for students

OR, if we are going the RADIUS and VLAN route anyways, maybe just do group based VLAN assignments and keep SSID to one?

Readin through this, it seems it's always better to reduce SSIDs?
https://documentation.meraki.com/MR/WiFi_Basics_and_Best_Practices/Multi-SSID_Deployment_Considerati...

 

BYOD:
What is the best approach. We want everyone to use their unique credentials (AD/RADIUS)

Is it possible to get the login prompt (windows/Mac) when they connect their perosnal machines (non-domain joined) to ethernet (Meraki switches)

What about their routers (if any) and other devices such as Apple watch etc.?

 

Machine Auth:
For domain joined machines, I see here that it's possible to do machine authentication because we don't want any login prompts
https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_RADIUS_Authentication_...
I couldn't find any detailed documentation for Machine auth in Meraki docs, any recommendations?


Lastly, if I want to achieve RADIUS failover, according to this:
https://documentation.meraki.com/MR/MR_Splash_Page/RADIUS_Failover_and_Retry_Details

All I need to do is setup two RADIUS server with identical configuration, and then add servers>strict policy?

 

Thanks!

6 REPLIES 6
PhilipDAth
Kind of a big deal
Kind of a big deal

How many student devices are you expecting?

Do you currently drop all of these into one VLAN, or do you have a different VLAN per "block", or some other method of breaking the network up for these devices?

I was going to say use a single SSID, but sometimes using two provides a natural way for breaking up the network.

 

What RADIUS server are you using?

 

 

With regard to wired BYOD and 802.1x - Windows machines in particular don't have the 802.1x service running by default.  You have to enable it through group policy.  So in a BYOD environnent this wont work well.

I would tend to make the default VLAN (whatever you use for that) a "challenge" VLAN.  If you 802.1x challenge the device and it can authenticate you can drop it into another VLAN.

If it can't authenticate you can leave it in the default VLAN but then further up the stack to the MX and configure this VLAN for splash page authentication.

 

Then those BYOD devices that can properly handle 802.1x will, and those that can't get a splash page (and can authenticate via RADIUS using their web browser).

 

 

 

In Windows gorup policy you can configure a device to authenticate with its machine account, the user account, or both (it does machine first and then user when the user logs into the machine).  Note when doing both or user authentication you really want to be using Windows 10 (works much better).

In a windows environment you really want to do a minimum of machine authentication.  Otherwise the machine can't talk to the domain at the point the login prompt appearrs.  So you can't apply group policy prior to login, and you can't log in without using cached credentials.

In your case, assuming you have all Windows 10, you can probably go with machine+user authentication.

This is amazing stuff!

 

If I go for 2 devices each, roughly around 500-600 devices total. In our current setup, we are simply dropping all (Student/staff) Wi-Fi traffic into a single VLAN. So, per user vlan tagging isn't going to be efficient enough and better to go with two SSID?

 

It will be Windows 2019 NPS and this will be first time RADIUS setup. All domain joined machines (labs, classrooms etc.) are 100% Windows 10.

 

Your BYOD VLAN suggestion is very cool, I didn't know about the issues with 802.1x. With this approach, we may not be putting all BYODs in the same VLAN but at least authentication is happening, which is the goal. I will read up more on splash page configuration.

 

So, the machine authentication bit is very interesting. What are you recommending is that we do both machine+user authentication, but that still doesn't solve the problem of getting the group policy applied before login? so better to leave domain joined machine authentication alone?

PhilipDAth
Kind of a big deal
Kind of a big deal

> What are you recommending is that we do both machine+user authentication, but that still doesn't solve the problem of getting the group policy applied before login?

 

Yes it does.  The machine will authenticate using its own account on boot up.  Group policy can then be applied.

 

Sometime later the user authenticates.  If this is suceesfull and the machine then re-authenticates with the user accoun.

Very nice, seems like I need to do a lot of testing in lab before deploying this in prod.
PhilipDAth
Kind of a big deal
Kind of a big deal

>If I go for 2 devices each, roughly around 500-600 devices total. In our current setup

 

Is that 500 to 600 student devices, or devices in total including staff?

So, staff is probably another 150 and then labs and library is another 80. So grand total of around 850 devices.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.