Hi there,
We're currently testing out using JumpCloud LDAP with Meraki. We've got our SSID set up and we can authenticate and everything is great but we want to be able to do a bit more and are wondering the following.
Is it possible to have Meraki see what LDAP groups a user is authenticating on the Meraki LDAP splash page and then be able to take that info to auto put that device that just got auth'd into a specific group policy in Meraki?
To rephrase to what I'm trying to accomplish here, can we apply a specific group policy to a device based on what LDAP user authenticated to connect?
Thanks!
Solved! Go to solution.
Hello, Ben from JumpCloud
We were speaking on the JumpCloud Slack lounge, and it looks like we were able to almost get there.
We could not complete the integration however so this is not a complete solution at this time. The main reason is because the Filter-ID matching is currently in beta and we need to wait for meraki support to possibly enable it for this tenant. Once it has been enabled, we can continue to test and verify functionality properly.
Not with LDAP. You can do it with RADIUS.
@ngaibut As mentioned you do that using Radius, below is a screenshot from Jumpcloud showing where you add Radius attributes to groups. The one Meraki seems to use "Aruba-User-Role" as its group attribute option. As long as you create a group policy with the exact same name as what you specify in Jumpcloud it will work.
Thanks both for the insights! @BlakeRichardson Thanks for the specifics on the JumpCloud side too.
Follow up question:
We did experiment with JumpCloud Radius too and that worked well. We preferred the UI for LDAP because it allowed us to customize the splash screen with some additional instructions/clarifications whereas with Radius, it uses the native macOS/Windows dialogs for username and password entry which could be overcome with user education but was confusing to users in general for us.
Is there an option to do Radius using JumpCloud with a splash page for the authentication and we could push out the certificate via our MDM? I imagine I might be getting the weeds here and this might also be a JumpCloud limitation.
Thank you!
Hello, Ben from JumpCloud
We were speaking on the JumpCloud Slack lounge, and it looks like we were able to almost get there.
We could not complete the integration however so this is not a complete solution at this time. The main reason is because the Filter-ID matching is currently in beta and we need to wait for meraki support to possibly enable it for this tenant. Once it has been enabled, we can continue to test and verify functionality properly.
Thanks to the help from @BenGarrison . We were able to get this to work.
We had to submit a ticket to Meraki to have them enable the "Filter-ID RADIUS attribute with a group policy for sign-on splash" feature as referenced in this article. Once the feature is enabled, in JumpCloud, we created a new RADIUS attribute in the user group where the user group is bound to RADIUS.
The RADIUS attribute name is "Filter-ID" and the RADIUS attribute value would be the same name as the group policy that would be getting applied on those machines on the Meraki side.
The important bit here is that in JumpCloud, when setting up the RADIUS server, the IP address that you want to use is the Meraki Dashboard IP, which @BenGarrison references. We got our IP address by pinging our instance of the Meraki dashboard https://n###.meraki.com.
Once you plug in all the right settings, we could see our device authing with RADIUS on the splash page and then automatically getting assigned the group policy in Meraki!
@BenGarrison Welcome, we have spoken a few times on the Jumpcloud community so nice to see you here as well.
Thanks Blake! I have always monitored, just never posted really. Hope to help where I can!