Dynamic VLAN Assignment on MR

Solved
Lonestarr_12345
New here

Dynamic VLAN Assignment on MR

I am working on seeing if we can transition from our existing Aruba environment to Meraki for wireless only.  This would be a gradual transition, so Meraki would have to work seamlessly the same as the existing Aruba network.  So while "You could/should do it this way instead" replies are appreciated, they're not really going to be useful for me.

 

We currently have a single SSID "Secure", and users authenticate via RADIUS and are dynamically assigned to various vlans based on their user role.  The authentication server is ClearPass, which polls AD for both U/P and AD Group membership.  Depending on their AD Group memberships, ClearPass assigns them a user role attribute (ie Student, Faculty, Staff, HelpDesk, etc).  So far, so good, Meraki can handle all that by sending the received Aruba User Role to matching Group Policies.  But here's where things get dicey.  Once they have their role, we have several contiguous vlans for each role which our Aruba Controller dynamically assigns - that is to say, there are 16 student vlans and the controller "load balances" among them, then there's 4 Faculty vlans, 4 Staff vlans, and others for other roles.

 

It seems like Meraki gets SO CLOSE to the same behavior but just doesn't quite get there.  I have configured Named VLANs in the VLAN Profiles and that does seem to work, if there's only one Named VLAN on the SSID.  But when I configure the Group Policy that matches the Aruba User Role, when I select Tag VLAN it only allows a single numbered VLAN.  If I could select the "Students" Named VLAN here that would be perfect, but I'm either missing something or it's not an option.

 

Any ideas on how to accomplish this?  This is pretty much our biggest hangup, if we can't figure this out then we can't use Meraki, which I would love to be able to do.

1 Accepted Solution
Purroy
Meraki Employee
Meraki Employee

Hello,

 

For the purpose you are trying to achieve I would not do the VLAN assignment based in Group Policies.  I would override the SSID VLAN via Radius.  

 

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/VLAN_Profiles

 

You need to send the following attributes from Clearpass in the Access-Accept Message:


[64] Tunnel-type = VLAN
[65] Tunnel-Medium-Type = 802
[81] Tunnel-Private-Group-ID = <vlan name>

 

VLAN name is the name you configure in the VLAN Profiles that has the associated VLANs to it.

 

Make sure you set the override option on the access control page for the desired SSID:

 

Screenshot 2024-05-13 at 23.35.20.png

 With this you should be golden!

View solution in original post

5 Replies 5
Purroy
Meraki Employee
Meraki Employee

Hello,

 

For the purpose you are trying to achieve I would not do the VLAN assignment based in Group Policies.  I would override the SSID VLAN via Radius.  

 

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/VLAN_Profiles

 

You need to send the following attributes from Clearpass in the Access-Accept Message:


[64] Tunnel-type = VLAN
[65] Tunnel-Medium-Type = 802
[81] Tunnel-Private-Group-ID = <vlan name>

 

VLAN name is the name you configure in the VLAN Profiles that has the associated VLANs to it.

 

Make sure you set the override option on the access control page for the desired SSID:

 

Screenshot 2024-05-13 at 23.35.20.png

 With this you should be golden!

Lonestarr_12345
New here

Figuring out how to get ClearPass to behave like I wanted was a PITA (doesn't help that our ClearPass is a complete mess), but I got it configured and it's working exactly the way I was wanting it to!  Thanks so much!

Lonestarr_12345
New here

Awesome, sounds like that might be just what I'm looking for!  I'll look into that in the morning

alemabrahao
Kind of a big deal
Kind of a big deal

Take a look at this post I wrote some time ago.

 

https://community.meraki.com/t5/Wireless/FreeRadius-Integration-with-OpenLDAP-and-Dynamic-Vlan-Assig...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
PhilipDAth
Kind of a big deal
Kind of a big deal

FreeRADIUS is such an awesome product!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels