Restrict SSiD visibility by blocking/blacklisting or group policy

pjc
A model citizen

Restrict SSiD visibility by blocking/blacklisting or group policy

Hi all

 

We have partners with their own seperate (non Meraki) wifi infrastructure, where we have agreed and created a common shared SSiD/passkey across our own wifi netowrks, so that we can co-work at each other's premises easily.  Our windows client devices are populated with the common SSiD profile, but despite group policy refresh setting the priority to promote our corporate SSiD, sometimes our clients connect to the less preferred (NAT base) shared SSiD instead of the corporate (Bridged).

I have tried playing around with Meraki group policy (different policies by SSiD > Blocked - and applied this to test clients, but the client still connects to the common SSiD but data is blocked, so not what I'm trying to achieve.

What I would like is that I can apply a policy to all of our managed clients, so that these clients do not see the SSiD (and therefore do not associate with it), but our partners coming into our buildings do still see the SSiD and can connect. 

Our clients will still be able to go to our partners buildings and connect to the same shared common SSiD OK.

 

Does anyone know if this is possible ?

 

Thanks in advance for any help

8 REPLIES 8
Adam
Kind of a big deal

I don't think that is possible but is there ever a situation where you'd want your people to connect to the shared SSID in your building instead of the corporate SSID? If not then I'd say don't have the exact same SSID.  Each of you have different ones then you can just push that and it'll only connect when they are in that building. 

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
pjc
A model citizen

Thanks Adam & Philip. 

 

The idea of a shared SSiD made sense in that all of the partners just needed to push out in group policy the single SSiD, and that group policy would be set to give priority to the corporate one over the shared one, which we expected the client to prefer that one.

The problem arises when the client comes back from the partners office, and until group policy has refreshed the client to re-elevate the priority, the clients connects to the non-preferred SSiD.  In addition to this, we are seeing when a client gets disassociated from the preferred SSiD (corporate) for whatever reason, it then re-connects, but can sometimes reconnect to the non corporate SSiD

 

If there was a way to script something in group policy to say 'if you can see both ssid's then always connect to the corporate one' that would do it

 

Cheers

PhilipDAth
Kind of a big deal
Kind of a big deal

But in group policy you configure the order of the SSIDs to use.  The first in the list is the preferred SSID.

 

Have you placed the configuration for the SSIDs into a single group policy?

pjc
A model citizen

Hi Philip

 

Yes, we have that configured in group policy, using netsh wlan set profileorder name so that the corp ssid is priority 1.  This works in normal use, however, as mentioned, when the client returns from the partner's site, until GP has been refreshed to reset the priority, the client connects to the non preferred network.  This also happens when the client disconnects or disassociates from the preferred network in our premises, and then client reconnects to non preferred network

 

Cheers

PhilipDAth
Kind of a big deal
Kind of a big deal

That does not sound like you are using group policy to me.  It should look something like the below.  Note how the second SSID has the option ticked to connect to a more preferred SSID.

 

Screenshot from 2018-08-08 20-52-05.png

 

pjc
A model citizen

Sorry Philip for the confusion, we are using group policy as per your screenshot, but we are periodically running a script 'netsh waln set profileorder name=ssid1 interface=WiFi priority=1' to re-elevate the preferred network to the top of the list, as without this it will use the last connected SSiD (when clients return from partner buildings).

 

We might have to reduce the time interval of the script to be more frequent, as it looks like there is nothing in Meraki that can help with this scenario

 

Thanks

PhilipDAth
Kind of a big deal
Kind of a big deal

You shouldn't need to do that (run a script).  The "connect to to a more preferred network" option should be all that is required.  Once it has seen the beacons for the primary network it should change over.

PhilipDAth
Kind of a big deal
Kind of a big deal

This is nothing to do with Meraki.

 

On your clients you need to configure the preferred order of the SSIDs.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels