Does Meraki accept RADIUS Tunnel-Private-Group-Id attribute being VLAN name and not VLAN ID ?

Solved
BeepBeep1
Conversationalist

Does Meraki accept RADIUS Tunnel-Private-Group-Id attribute being VLAN name and not VLAN ID ?

Dear Meraki community,

 

I am considering using OneLogin RADIUS service for my company wired and wireless authentication.

 

The problem being that I can only configure the RADIUS attribute Tunnel-Private-Group-Id value to be the matching role name of my user and not the role VLAN ID.

 

So for example, if I'm assigned the HR role on OneLogin, the RADIUS reply message will be the following 

     Tunnel-Private-Group-Id:0 = "HR"
     Tunnel-Type:0 = VLAN
     Tunnel-Medium-Type:0 = IPv4
     Filter-Id = "HR;Social Media"

 

Can Meraki properly interpret this RADIUS reply message and assign the "HR" VLAN declared in my Dashboard ?

 

Thank you all in advance 🙏

1 Accepted Solution
jdsilva
Kind of a big deal

So the answer is no to tunnel-group-id, but I see there is Filter-Id in the response. You can use that to assign a Group Policy to the user/device, which in turn can specify a VLAN. Maybe that approach will work for you?

 

https://documentation.meraki.com/MR/Group_Policies_and_Blacklisting/Using_RADIUS_Attributes_to_Apply...

 

https://documentation.meraki.com/zGeneral_Administration/Cross-Platform_Content/Creating_and_Applyin...

 

 

View solution in original post

9 Replies 9
jdsilva
Kind of a big deal

So the answer is no to tunnel-group-id, but I see there is Filter-Id in the response. You can use that to assign a Group Policy to the user/device, which in turn can specify a VLAN. Maybe that approach will work for you?

 

https://documentation.meraki.com/MR/Group_Policies_and_Blacklisting/Using_RADIUS_Attributes_to_Apply...

 

https://documentation.meraki.com/zGeneral_Administration/Cross-Platform_Content/Creating_and_Applyin...

 

 

jdsilva
Kind of a big deal

Sorry, I take that back! I should know better to double check before I answer!

 

It looks like tunnel-group-id is honoured, but it needs to be the VLAN number, not the name.

 

image.png

 

https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_RADIUS_Authentication_...

 

 

BeepBeep1
Conversationalist

Thank you @jdsilva and @PhilipDAth @for your answers !

 

I’ll probably stick with the group policy through the filter-id.

 

feature request might take a while at OneLogin.

 

 

PhilipDAth
Kind of a big deal
Kind of a big deal

To add to @jdsilva response further - Meraki has no concept of a VLAN name.  So you can only use id's (and group policy names).

HandikaNursandy
Comes here often

Hallo Guys.

 

Me by working on a project using a radius that is combined with the radius of the server.

Type radius of what server is suitable for use with Cisco Meraki. Does Freeradius be able to do "Tunnel-Private-Group-ID" in Cisco connection with the Meraki?

PhilipDAth
Kind of a big deal
Kind of a big deal

>Does Freeradius be able to do "Tunnel-Private-Group-ID" in Cisco connection with the Meraki?

 

Yes.

HandikaNursandy
Comes here often

thanks for your answers @PhilipDAth .

 

btw do you have some tutorial or documentation configure tunnel-private-group-id on freeradius  ?

PhilipDAth
Kind of a big deal
Kind of a big deal

Google is thick with answers.

Jens94
Conversationalist

Hi BeepBeep1,

 

check out firmware version 15.x for MS.

With this version VLAN Profiles are introduced. With this feature you can use named vlans via RADIUS Tunnel-Private-Group-Id attribute.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels