I will be rolling out Meraki hardware at my company's new office soon. I've already tested Google authentication (802.1x) using an app specific password and it works great.
I would like to know if there is a way to apply a specific Vlan to a specific group or user. For example, if someone in the Engineering department connects to the wifi using their app specific password, we'd like for them to automatically be tagged to a specific Vlan. Is this possible?
You have two options. You can return a couple RADIUS attributes to dump the user into a give VLAN, or you can return the name of a Group Policy via a RADIUS attribute and inside the GP specify a VLAN.
So there's no way to do this with G Suite authentication? I know this can be done by selecting "my Radius server" as a form of authentication, but I wanted to use Google.
You would need to use a third party RADIUS server with Google Authentication support.
A quick Google semes to indicate JumpCloud support this. Never tries this combination myself.
You might be able to do this using FreeRadius as well. Never tried it myself.
I would regard Google Authentication as a temp fix for Single VLAN locations where a user-base directory for RADIUS Authentication is not available. There's some serious drawbacks to using Google Authentication:
1 - Must generate a GSuite App-Specific password per user.
2 - Must install or activate a mobile-config profile on Mac OS (per network) or Windows machines (per user).
3 - You cannot re-use the same SSID in multiple locations if one is Google Auth, but the other location uses RADIUS.
4 - I have had reports of users unable to connect to other open networks, such as hotel-net WiFi networks. Deleting the Google authentication mobile.config profile for Mac OS users seems to allow that.
5 - No dynamic VLAN assignments possible via Google alone, and you cant even set up separate SSID's for different VLANs and expect some users to work on one SSID vs another.
You might find some functionality via Sentry rules in Meraki System Manager (MDM), which could potentially specify which SSID's a tagged user's hardware can connect to, but this would be cumbersome to manage, and not really a best-practice.