I know this topic has been kicked around a few times already, but it seems there is no acceptable solution.
Generally we create 3 SSIDs - GUEST, BYOD, CORP. Guest and byod we want clients isolated and corp we want discover-able. But this seems not possible on Meraki.
I have a setup here where 3 device son the same network need to communicate with each other, the workaround I had to use was crate a new SSID and put one device in that which allowed me to get communication between two of the hosts working, but that is obviously not scalabale.
I am wondering how corporates are dealing with devices like wireless printers, handheld scanners and P2P Skype calls? Is there any other way to achieve this that I am not aware of, and if not is it on the road map?
I see thank you.
So would I be right in assuming, the MX cannot act as a DHCP server in bridge mode and a dedicated server would be required?
Ok sounds like a better approach, will give it a try.
i think this better using vlan for separate other network, as i use i create vlan for production network, and let meraki dhcp use for guest and block unecessery network to network with firewall.
for guest i use meraki DHCP with Facebook login which i think it's best option especially for easy to use to customers 🙂
Did your question get answered?
I'd start by making a list of all your types of devices and their requirements.
Guest Devices - will guests ever need access to a printer? If not, Meraki DHCP + Firewall could work. Note that captive portal devices get assigned a weird policy and don't follow the MR L3 firewall rules, so you need an upstream firewall. Another option is to tunnel guest traffic to an MX, or simply put guests on a VLAN with a firewall that limits it. If you go with a VLAN, you'll need to implement the MR's isolation feature and firewall settings to prevent communication between devices on the same VLAN.
Employee BYO Devices - How do you want to handle these? You could use Meraki Trusted Access or Systems Manager Sentry for secure connectivity, it's pretty awesome. Or you can use your corporate credentials to login via 802.1x, but that's definitely a way to expose your unmanaged devices to potential honeypot attacks. Most users/devices will "leak" your enterprise credentials to any random access point that broadcasts nearby. If you educate users not to accept certificates from unknown WiFi access points, well who are we kidding! That's never going to happen. Use Trusted Access. The alternative is a BYOD WPA2-PSK network with splash page to authorize devices. If you want to do this all easily, try a add-on product like Splash Access (www.splashaccess.com) or any captive portal guest solution from Meraki's app store (https://apps.meraki.io/)
Employee Corporate Devices - You should be using EAP-TLS with certificate authentication if your security is important to you. But if not, go ahead use AD logins but at least configure your devices WiFi with Active Directory or Systems Manager or Trusted Access or some other MDM/EMM.
Handheld Scanners - Most scanners I know have strange WiFi requirements, you want to avoid a separate network for these devices, but it might come at a cost of roaming. Consider and TEST the impact of 11r and 11w before enabling.
Printers - Please tell me you aren't using wireless printers. Sorry to be snarky, but please use ethernet for printers. Most of these devices are terrible at WiFi security.
thanks for the very informative reply!
Yes my question was answered thank you. My questions were more theory based, I work for a service provider who has a variety of clients (hospitals, retail, agriculture etc) so there is a fine balancing act between security and functionality.
In my case (lab setup) the answer was to switch to bridge mode and use layer 3 and DHCP on the MX which is working well.