Wireless Guest access (Google authentication splash) and Google identity attributes
I am configuring successfully a Wireless guest SSID with Google sign-on but I would like to improve it by retrieving Google identity attributes to allow only users with a specific custom attribute (for example "WiFiEnabled" : "true")
so I was thinking about options:
1) Is there an option of doing it on meraki cloud hosted splash screen (maybe with a custom designed splash screen?)
2) is it possible to restrict successful authentication coming from Meraki cloud only to certain Google Identity group?
3) would it be a viable option to have the guest portal on ISE and retrieve Google identities via SAML ? (as far as I know it can retrieve user attributes) but then I will have the problem of using MAB (that gives no encryption) or 802.1x (that can bee too complex for guest users) while now I have a rotating PSK
Our company uses Google identities for certain tasks and we have an organization managed in Google with our domain.
Using Google for guest access is a specific use case where we are not giving access to generic Google accounts but Google domain accounts under our domain.
What is the missing part is to have a chance to filter which user can be successfully authenticated rather than everyone under our Google domain.
Using RADIUS for this could be an option, yes but
if we consider Google authentication then we should
1) do MAC address bypass authentication and redirect to Cisco ISE
2) integrate ISE to Google via SAML and retrieve user attributes from there
3) authenticate with a guest portal in ISE
if we consider other type of identities we would just simply lose the integration we have with Google identities and that would leave us to have maybe AD or LDAP but is the same story about point #1 of the previous consideration
another thing to consider is that MAB does not provide encryption, and only other available option for meraki to ISE guest portal is 802.1x authentication but this is traditionally something that cannot be easily managed by end users so we should eventually consider an open SSID for onboardin and another SSID for production (so 1 SSID more...) and this complicates the solution (after all is a guest access...right?)
One option may be to see if Google expose identities via cloud LDAP as I am reading here :