Meraki

Community

Applying Group Policy to a subset of users in a 802.11x authenticated SSID

Solved
smmci
Conversationalist
‎Aug 11 2021 12:03 PM
‎Aug 11 2021 12:03 PM

Applying Group Policy to a subset of users in a 802.11x authenticated SSID

Hi folks,

 

I'm new to the Meraki platform and loving it so far. I work at a school and we have created a SSID that uses an on-premise Windows 2012 R2 NPS server for 802.11x authentication. It's working great but I would like to use Meraki Group Policy to help with a problem I have.

 

The SSID (lets call it Student-BYOD) is primarily for Windows AD joined laptops used by students. We have a FortiGate firewall that uses the FortiGate Single Sign-on Agent to poll our domain controllers for logon and logoff events. We use this so we can apply FortiGate security policies based on the security group of the user who has logged onto the AD domain joined laptop.

 

However, this year we are allowing some pupils to BYOD. These are non-domain joined devices that will typically be Windows laptops, iPads and MacBooks. I have a policy on the NPS server to allow members of the BYOD group to connect to the Student-BYOD SSID. They join fine but because the devices are not AD domain joined, the FortiGate SSO Agent does not know they are on the network and so their web traffic is not authenticated.

 

My goal here is to not have a separate SSID for the BYOD students and use Meraki Group Policy to direct these BYOD devices to a seperate VLAN.

 

I have created a new network policy for the BYOD group of users on the NPS server. I have added the Filter-Id attribute and gave it the name of a Meraki Group Policy that I have created (the Meraki GP is empty just now).

 

So I have two NPS Network Policies I am looking to use with the Student-BYOD SSID:

 

  1. The policy that is used to allow access to the SSID by student AD domain joined laptops that has no Filter-Id attribute.
  2. The policy that is used to allow access to the SSID by a student BYOD device that does have the Filter-Id attribute

My question is will access to the Student-BYOD SSID still work for devices using the first policy above? This is how Access Control for the SSID is currently configured in the console:

 

smmci_1-1628708511426.png

 

 

As they will not have the Filter-Id attribute, I'm hoping they will join as normal and be placed onto the Student-BYOD VLAN. Any member of the BYOD student group will have the Filter-Id passed from the NPS server and will then have the Meraki Group Policy applied. 

 

I was planning to use a Meraki Group Policy to place clients with the Filter-Id onto a separate VLAN from the Student-BYOD VLAN. I would then allow that VLAN unauthenticated access on the FortiGate to solve the authentication issue - I would apply filtering and application policies on the VLAN though 🙂

 

I hope that makes sense to someone and I would be very grateful if some one could validate this or point me in the right direction.

 

All the best,

Steven.

Labels:
0 Kudos
1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Aug 11 2021 4:09 PM
‎Aug 11 2021 4:09 PM

The Filter-Id applies a Meraki group policy that overrides the default settings on the SSID.  If you don't specify a Filter-Id, the user gets the default settings.

 

So it should do what you want.

View solution in original post

4 Replies 4
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Aug 11 2021 4:09 PM
‎Aug 11 2021 4:09 PM

The Filter-Id applies a Meraki group policy that overrides the default settings on the SSID.  If you don't specify a Filter-Id, the user gets the default settings.

 

So it should do what you want.

In response to PhilipDAth
smmci
Conversationalist
‎Aug 12 2021 11:45 AM
‎Aug 12 2021 11:45 AM

Thanks, it did indeed work!

0 Kudos
Bruce
Kind of a big deal
‎Aug 11 2021 4:46 PM
‎Aug 11 2021 4:46 PM

The Filter-ID is one way to do it, and should work just fine. The other way you can do it if all you're wanting to do is change the VLAN for these students (and do all the filtering upstream on the FortiGate for example), is to enable VLAN override for the SSID and then pass back the attributes from the RADIUS server to achieve that - same outcome, but you don't need to configure Group Policies.

 

In the 'Addressing and traffic' section of the 'Access Control' for the SSID you'll need to change the RADIUS Override to 'RADIUS response can override the VLAN tag', and then send back the correct attributes in the RADIUS response. There are three standard attributes that need to be returned, and they're document in the 'Per-User VLAN Tagging' section of this document, https://documentation.meraki.com/MR/Client_Addressing_and_Bridging/VLAN_Tagging.

In response to Bruce
smmci
Conversationalist
‎Aug 12 2021 11:45 AM
‎Aug 12 2021 11:45 AM

Thanks for replying, much appreciated 😀

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2025 Cisco Systems, Inc.