Segmenting Users based on Login

lukemason
Conversationalist

Segmenting Users based on Login

This may be a very unique situation but I figured I would ask to see if anyone has run across this before. We are taking over IT for a business that rents space and they have written in their contracts that they provide wireless internet to the users. As of right now everyone logs into the same SSID, so my vision is that User A will be given credentials to login to the Wifi and it puts them on VLAN X, and User B is put onto VLAN Y and so on. Typically I would look at using Guest Networking for this HOWEVER in some cases users are allowed to bring in printers or computers and plug them into the network ports so I would like them to be on the same VLAN so they can access their printers etc that may be on the wired network.

 

Not sure if I explained this well enough or not.

 

Thanks in advance!

1 REPLY 1
jdsilva
Kind of a big deal

So in my opinion doing this the way you're asking is difficult to manage, but not impossible. For Meraki, you would basically need a Group Policy for every user that specifies their respective VLAN. You can also add some L3 rules into the GP that allows them to the printer VLAN, but not other user VLANs for example. Every time you get a new user you create a new GP, and update your user DB to return the proper fields when that user hits the WiFi via RADIUS. 

 

But, I would suggest you just use a single VLAN and use features like Deny Local LAN, Wireless Client Isolation, and MR firewall rules to isolate clients.

 

https://documentation.meraki.com/MR/Firewall_and_Traffic_Shaping/'Deny_Local_LAN'_settings_in_Cisco_...

https://documentation.meraki.com/MR/Firewall_and_Traffic_Shaping/Wireless_Client_Isolation

 

This approach negates the need to manage a large number of VLAN, ans MACs related to people coming and going from the organization. 

 

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels