Hi everyone. I need to enable scheduled access to both Wired and Wireless resources during a specific time. The complication is that different users have different schedule of access.
VLAN 2 - most users are allowed access Mon - Fri 9am - 5pm. However a subset of users need access Mon - Fri 9am - 11:45pm on the same VLAN and possibly a third set of users 24/7.
Ideally I would like to use internal Meraki users and be able to sign in via a splash page and based upon the schedule that is associated with that user (group of users) they are granted the appropriate access.
Can anyone suggest a possible solution? I would also entertain a cloud radius server that they could authenticate against but the server would have to be able to take a login-time attribute to calculate the session-timeout to be passed. The other issue with this is that once the session does time out, i.e. at 5pm, users want to be able to simply join the network the next morning at 9am and not have to re-authenticate (some type of Mac based authentication once they have authenticated once.)
Or is there a way to set a group policy by user that is logged in. For example a user logs into a wifi network and based upon user name a group policy is defined with a schedule. A user logs into a wired computer and a group policy is defined directing to a vlan etc based upon the user.
You could have user based policies (https://documentation.meraki.com/zGeneral_Administration/Cross-Platform_Content/Creating_and_Applyin...) by leveraging MX‘s Active Directory connection (https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/Configuring_Active_Direc...).
Then, apply time based policies based on group membership (https://documentation.meraki.com/zGeneral_Administration/Cross-Platform_Content/Creating_and_Applyin...)
Thank you @CptnCrnch Unfortunately they don't have an AD but would jumpcloud work for this? Or another cloud LDAP or AD service? What would you recommend?
All traffic would have to flow through an MX. The VLAN(s) the users are on will need to be configured to do splash page authentication. You will need to use group policy with a schedule in it to change the firewall rules.
Now you need something that can authenticate the users and apply a specific group policy. I believe Splash Access has something that can do this:
I don't know if Jump Cloud can assign group policy based on users, but you would check them out as well:
Thanks @PhilipDAth.. I would love to use jumpcloud, but it appears that they can only apply a group policy through the filter-id on wifi. On the MX when configuring radius, I don't have an option for group policy through the filter-id attribute. Does anyone know if this will work?
I have been in touch with spashaccess and although they advertise something similar to this, they are saying it is a bespoke solution. Still waiting to hear back to see if they can for sure do this.
>On the MX when configuring radius, I don't have an option for group policy through the filter-id attribute.
That is wrong. It will work.
Yes, that is for MR (Access Points) but doesn't apply to MX Access Control at the Security Appliance level. As far as I can tell and have tried.