WiFi through Google's credentials - How to filter it?

Roberto2
Just browsing

WiFi through Google's credentials - How to filter it?

Here at the school I work for we still use WPA2 as authentication for Meraki wifi. We have 2 available SSIDs (Staff and Students).

A while ago the students figured out the password for the Staff SSID, so it won't matter if I change it , they 'll find out eventually again.

Meraki allows me to enable 3rd party credentials, so I want to use our Google Suite for that. The problem is that the students also have Google's credentials, so how can I filter the access to only allow staff to use the Staff network?

Thanks!

6 REPLIES 6
BrechtSchamp
Kind of a big deal

I'm not sure you can limit that. However, since you need to contact helpdesk to have the feature enabled, maybe you can ask them that too?

 

https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_WPA2-Enterprise_with_G...

 

I think you may have to resort to a 3d party RADIUS server that integrates with the Google IAM platform(s).

PhilipDAth
Kind of a big deal
Kind of a big deal

Do you use an MDM or any system that can deploy certificates?  If so, I would look into using certificates for the staff devices.

 

In the Meraki world you have Systems Manager which can do this.  You can do things like say only devices with Systems Manager installed can connect (so you would only put it on staff devices):

https://documentation.meraki.com/MR/Splash_Page/Systems_Manager_Sentry_Enrollment

 

You can also take it a step further (which I would) where you can get Systems Manager to deploy certificates onto the devices, and then using tags you can say only devices with a tag of "staff" are allowed on the staff SSID.  If you used it with studeny devices you can apply the same logic to only allow students to access the "student" ssid.  You can also kick a student off (say for a breach of policy) by simply removing the tag from their device.

Because this uses certificates there is no working around this.

https://documentation.meraki.com/SM/Other_Topics/Certificate-based_WiFi_authentication_with_Systems_...

 

 

For school assets you would normally make the device "fully" managed.  For Apple this is called "Supervised" mode, and for Android it is called "Device Owner" mode.

https://documentation.meraki.com/SM/Profiles_and_Settings/iOS_Supervision

https://documentation.meraki.com/SM/Device_Enrollment/Android_Enrollment

 

Note that Cisco Meraki Systems Manager also integrates with Apple School Manager (in case you use that).

https://documentation.meraki.com/SM/Profiles_and_Settings/Configuring_Apple_School_Manager_for_Share...

 

 

I don't personally like using it, by Systems Manager also has a BYOD mode you could use with student owned devices.  Note that BYOD mode can also be used to do lots of other things, but in this context I am only referring to it for configuring secure WiFi with certificates.

https://documentation.meraki.com/SM/Device_Enrollment/Containerization_with_Systems_Manager

ps. Schools get such a huge discount from Meraki - it isn't very expensive (in my opinion).

Thanks you so much guys for your time!

 

Unfortunately, for budget restrictions, we don't have an MDM yet...

 

I think the best alternative would have to be deploying a free RADIUS server here on premises...

PhilipDAth
Kind of a big deal
Kind of a big deal

What about using a single SSID (or converting the staff SSID to work the same as the student SSID) and then applying a group policy to staff devices to move them into the staff VLAN (also called per-device VLAN tagging)?

https://documentation.meraki.com/MR/Group_Policies_and_Blacklisting/Creating_and_Applying_Group_Poli...

 

Failing that, if you have active directory you could use Microsoft NPS.

 

FreeRADIUS is an excellent product.  It will almost certainly be able to back into Google Suite to validate usernames/password BUT  knowing only the username/password how will you be able to identify which are teachers?  I suspect you would have to create a manual group in FreeRADIUS to do this.

 

Bossnine
Building a reputation

I use the Google authentication method for our BYOD devices and for some reason lately some devices (phones mainly since that is what usually is on it) just randomly disconnect.  Not to mention each time a user enters a new building (which is a separate 'network') they have to re-authenticate.  I'm not sure if that's a problem on my end or Meraki, but it would be more frustrating if that were the authentication method for essential devices.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels