cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Google Authentication + Vlan Assignments

Highlighted
Conversationalist

Google Authentication + Vlan Assignments

Hello, 

 

I will be rolling out Meraki hardware at my company's new office soon. I've already tested Google authentication (802.1x) using an app specific password and it works great. 

 

I would like to know if there is a way to apply a specific Vlan to a specific group or user. For example, if someone in the Engineering department connects to the wifi using their app specific password, we'd like for them to automatically be tagged to a specific Vlan. Is this possible?

5 REPLIES 5
Highlighted
Kind of a big deal

Re: Google Authentication + Vlan Assignments

Hey there,

 

You have two options. You can return a couple RADIUS attributes to dump the user into a give VLAN, or you can return the name of a Group Policy via a RADIUS attribute and inside the GP specify a VLAN.

 

https://documentation.meraki.com/MR/Client_Addressing_and_Bridging/Tagging_Client_VLANs_with_RADIUS_...

 

https://documentation.meraki.com/MR/Group_Policies_and_Blacklisting/Using_RADIUS_Attributes_to_Apply...

Highlighted
Conversationalist

Re: Google Authentication + Vlan Assignments

So there's no way to do this with G Suite authentication? I know this can be done by selecting "my Radius server" as a form of authentication, but I wanted to use Google. 

Snip20190501_10.png

Highlighted
Kind of a big deal

Re: Google Authentication + Vlan Assignments

Oh! I'm sorry. I didn't realize that was an option. My understanding was you had to use RADIUS for .1x. We don't have that enabled on our Orgs so I don't have that in my dropdowns. I had just assumed that Google Auth was using RADIUS somewhere. 

 

 

Highlighted
Kind of a big deal

Re: Google Authentication + Vlan Assignments

You would need to use a third party RADIUS server with Google Authentication support.

 

A quick Google semes to indicate JumpCloud support this.  Never tries this combination myself.

https://jumpcloud.com/blog/radius-authentication-google-idaas/

 

You might be able to do this using FreeRadius as well.  Never tried it myself.

https://www.supertechguy.com/help/security/freeradius-google-auth/

Comes here often

Re: Google Authentication + Vlan Assignments

I would regard Google Authentication as a temp fix for Single VLAN locations where a user-base directory for RADIUS Authentication is not available. There's some serious drawbacks to using Google Authentication:

 

1 - Must generate a GSuite App-Specific password per user.

2 - Must install or activate a mobile-config profile on Mac OS (per network) or Windows machines (per user).

3 - You cannot re-use the same SSID in multiple locations if one is Google Auth, but the other location uses RADIUS.

4 - I have had reports of users unable to connect to other open networks, such as hotel-net WiFi networks. Deleting the Google authentication mobile.config profile for Mac OS users seems to allow that.

5 - No dynamic VLAN assignments possible via Google alone, and you cant even set up separate SSID's for different VLANs and expect some users to work on one SSID vs another.

 

You might find some functionality via Sentry rules in Meraki System Manager (MDM), which could potentially specify which SSID's a tagged user's hardware can connect to, but this would be cumbersome to manage, and not really a best-practice.

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.