2 VLAN for Same SSID Meraki AP with Radius Authentication

SLR
Building a reputation

2 VLAN for Same SSID Meraki AP with Radius Authentication

Can you create 2 VLANS to use one SSID for Meraki MR55 with Radius Authentication?
I want to create the same global SSID for upstairs/downs but I want the downstairs clients to get a VLAN 160 IP address and I want the upstairs clients to get a VLAN 170 IP address.
How can this be done using one SSID?
Can I create two 802.1X connection policies (1 for VLAN 170 and 1 for VLAN 160)? in Radius clients I have two APS downstairs APs *with downstairs subnet* and upstairs AP *with upstairs subnet*
Will it be smart enough to connect and recognize coming from same ssid which vlan to come on to?
does it matter the order in the connections request/network policies tabs
https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_RADIUS_Authentication_...

7 REPLIES 7
jdsilva
Kind of a big deal

You bet you can do this. You need to enable RADIUS override for VLAN assignment, then return the correct attributes in the RADIUS Accept.

 

https://documentation.meraki.com/MR/Client_Addressing_and_Bridging/RADIUS_Override

 

 

You're going to have to configure your RADIUS server to make a decision on something though... Maybe NAS IP address? If the NAS is a downstairs AP then return downstairs subnet sort of thing.

Food for thought, although I have not ever actually used this feature yet, but what about doing the AP TAG feature under Access-Control ?

So tag 4FL for 4th floor access points, and 3FL for 3rd floor access points, and then under access control, change VLAN ID and click 'add vlan' and insert the tags and insert the VLAN.

I feel like having never actually used that feature, but from what I'm seeing on the settings, that it would do exactly what you want.
Nolan Herring | nolanwifi.com
TwitterLinkedIn
SLR
Building a reputation

does the order matter?  When I put VLAN 170 upstairs in second after VLAN 160 downstairs(these are example vlans). I tried to connect since my downstairs AP is behind me and I am downstairs but it would not let me access (it authenticated me but said not internet)

 

When I moved the order where VLAN 160 was set as # 1 for processing order, I was able to connect. Switch downstairs has VLAN160 but not VLAN 170. Switch upstairs has VLAN 170 but not VLAN 160. 

 

1.PNG

jdsilva
Kind of a big deal

Assuming there's nothing else in those rules order shouldn't matter, but I would keep them together. 

 

I like @NolanHerring 's solution here. That seems a lot easier. 


@jdsilva wrote:

Assuming there's nothing else in those rules order shouldn't matter, but I would keep them together. 

 

I like @NolanHerring 's solution here. That seems a lot easier. 


33333.JPG

Nolan Herring | nolanwifi.com
TwitterLinkedIn
SLR
Building a reputation

thank you - I will try and test later. to confirm, setup would look like this correct? 2.PNG

NolanHerring
Kind of a big deal

Looks good to me, although I think you can (maybe should?) turn off the radius override stuff for this test. Also assuming there are not any other access points involved, should be fine leaving the 'all other APs' to 1 as well.
Nolan Herring | nolanwifi.com
TwitterLinkedIn
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels