Google Authentication + Vlan Assignments

AlexCisneros
Conversationalist

Google Authentication + Vlan Assignments

Hello, 

 

I will be rolling out Meraki hardware at my company's new office soon. I've already tested Google authentication (802.1x) using an app specific password and it works great. 

 

I would like to know if there is a way to apply a specific Vlan to a specific group or user. For example, if someone in the Engineering department connects to the wifi using their app specific password, we'd like for them to automatically be tagged to a specific Vlan. Is this possible?

5 REPLIES 5
jdsilva
Kind of a big deal

Hey there,

 

You have two options. You can return a couple RADIUS attributes to dump the user into a give VLAN, or you can return the name of a Group Policy via a RADIUS attribute and inside the GP specify a VLAN.

 

https://documentation.meraki.com/MR/Client_Addressing_and_Bridging/Tagging_Client_VLANs_with_RADIUS_...

 

https://documentation.meraki.com/MR/Group_Policies_and_Blacklisting/Using_RADIUS_Attributes_to_Apply...

So there's no way to do this with G Suite authentication? I know this can be done by selecting "my Radius server" as a form of authentication, but I wanted to use Google. 

Snip20190501_10.png

Oh! I'm sorry. I didn't realize that was an option. My understanding was you had to use RADIUS for .1x. We don't have that enabled on our Orgs so I don't have that in my dropdowns. I had just assumed that Google Auth was using RADIUS somewhere. 

 

 

You would need to use a third party RADIUS server with Google Authentication support.

 

A quick Google semes to indicate JumpCloud support this.  Never tries this combination myself.

https://jumpcloud.com/blog/radius-authentication-google-idaas/

 

You might be able to do this using FreeRadius as well.  Never tried it myself.

https://www.supertechguy.com/help/security/freeradius-google-auth/

brconflict
Here to help

I would regard Google Authentication as a temp fix for Single VLAN locations where a user-base directory for RADIUS Authentication is not available. There's some serious drawbacks to using Google Authentication:

 

1 - Must generate a GSuite App-Specific password per user.

2 - Must install or activate a mobile-config profile on Mac OS (per network) or Windows machines (per user).

3 - You cannot re-use the same SSID in multiple locations if one is Google Auth, but the other location uses RADIUS.

4 - I have had reports of users unable to connect to other open networks, such as hotel-net WiFi networks. Deleting the Google authentication mobile.config profile for Mac OS users seems to allow that.

5 - No dynamic VLAN assignments possible via Google alone, and you cant even set up separate SSID's for different VLANs and expect some users to work on one SSID vs another.

 

You might find some functionality via Sentry rules in Meraki System Manager (MDM), which could potentially specify which SSID's a tagged user's hardware can connect to, but this would be cumbersome to manage, and not really a best-practice.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels