I will be rolling out Meraki hardware at my company's new office soon. I've already tested Google authentication (802.1x) using an app specific password and it works great.
I would like to know if there is a way to apply a specific Vlan to a specific group or user. For example, if someone in the Engineering department connects to the wifi using their app specific password, we'd like for them to automatically be tagged to a specific Vlan. Is this possible?
Oh! I'm sorry. I didn't realize that was an option. My understanding was you had to use RADIUS for .1x. We don't have that enabled on our Orgs so I don't have that in my dropdowns. I had just assumed that Google Auth was using RADIUS somewhere.
I would regard Google Authentication as a temp fix for Single VLAN locations where a user-base directory for RADIUS Authentication is not available. There's some serious drawbacks to using Google Authentication:
1 - Must generate a GSuite App-Specific password per user.
2 - Must install or activate a mobile-config profile on Mac OS (per network) or Windows machines (per user).
3 - You cannot re-use the same SSID in multiple locations if one is Google Auth, but the other location uses RADIUS.
4 - I have had reports of users unable to connect to other open networks, such as hotel-net WiFi networks. Deleting the Google authentication mobile.config profile for Mac OS users seems to allow that.
5 - No dynamic VLAN assignments possible via Google alone, and you cant even set up separate SSID's for different VLANs and expect some users to work on one SSID vs another.
You might find some functionality via Sentry rules in Meraki System Manager (MDM), which could potentially specify which SSID's a tagged user's hardware can connect to, but this would be cumbersome to manage, and not really a best-practice.