I am configuring successfully a Wireless guest SSID with Google sign-on but I would like to improve it by retrieving Google identity attributes to allow only users with a specific custom attribute (for example "WiFiEnabled" : "true")
so I was thinking about options:
1) Is there an option of doing it on meraki cloud hosted splash screen (maybe with a custom designed splash screen?)
2) is it possible to restrict successful authentication coming from Meraki cloud only to certain Google Identity group?
3) would it be a viable option to have the guest portal on ISE and retrieve Google identities via SAML ? (as far as I know it can retrieve user attributes) but then I will have the problem of using MAB (that gives no encryption) or 802.1x (that can bee too complex for guest users) while now I have a rotating PSK
1) Unfortunately this wont work.
2) Not with Meraki Devices alone.
3) This seems like it would work if ISE supports it but your interpretation of limitations sound correct.
I know that I didn't necessarily provide a solution but hopefully this helps by eliminating the options that definitely won't work.
@GiovanniA Rather than use Google Auth why not use Radius auth and limit it to a specific group.
Thank you for your input,
Can you elaborate more on point #2 ?
Thanks in advance!
Our company uses Google identities for certain tasks and we have an organization managed in Google with our domain.
Using Google for guest access is a specific use case where we are not giving access to generic Google accounts but Google domain accounts under our domain.
What is the missing part is to have a chance to filter which user can be successfully authenticated rather than everyone under our Google domain.
Using RADIUS for this could be an option, yes but
if we consider Google authentication then we should
1) do MAC address bypass authentication and redirect to Cisco ISE
2) integrate ISE to Google via SAML and retrieve user attributes from there
3) authenticate with a guest portal in ISE
if we consider other type of identities we would just simply lose the integration we have with Google identities and that would leave us to have maybe AD or LDAP but is the same story about point #1 of the previous consideration
another thing to consider is that MAB does not provide encryption, and only other available option for meraki to ISE guest portal is 802.1x authentication but this is traditionally something that cannot be easily managed by end users so we should eventually consider an open SSID for onboardin and another SSID for production (so 1 SSID more...) and this complicates the solution (after all is a guest access...right?)
One option may be to see if Google expose identities via cloud LDAP as I am reading here :
in that case...would it be doable to restrict authentication by searching into a specific OU via LDAP search from Google identities?
Let's imagine I would do that for AD via LDAP...can I restrict to specific groups?
If that is doable then I can see if Google identities via LDAP expose a similar structure of Google groups or attributes and restrict access in a more traditional way and keep it cloud to cloud
In regards to point #2:
Now that I think about what you mean by that specific point more, I am going to simply say no. I can't see the possibility of google auth working in this way when using the Meraki cloud. )-: