G Suite authentication and group policies

Solved
amacleod
Comes here often

G Suite authentication and group policies

Hi all,

First time poster as my searches were fruitless. Anyway, in my school we use MR33's as our AP's and an MX80 as our Firewall. Our users login to our WiFi using G Suite authentication (as we are a G Suite school). I am trying to configure some Group Policies on the AP's but would really like to apply them per user rather than per device. I'd also love to extend this to apply the policies to a group of users rather than individually. It appears right now that can easily apply a policy on a device, but not a user.

 

Am I missing something? Has anyone else tried this, or have a better solution?

 

Thanks,

1 Accepted Solution
RodrigoC
Meraki Employee
Meraki Employee

Opps... I forgot to mention a 4th option.

 

If the number of users exempt from the schedule restriction is smaller than the group of users bound by the schedule is smaller, you can set the schedule to be the default policy for your network and then manually whitelist users that are exempt. For example, if you are looking to enforce a schedule for 200 students and leave 20 teachers with unrestricted access, you set the schedule as default policy and then manually exempt the teachers' devices. This would result in ~20 manual policy entries rather than 200+. 

 

 

Once again, I hope this helps! 😃

View solution in original post

4 Replies 4
RodrigoC
Meraki Employee
Meraki Employee

Hi @amacleod,

 

Could you elaborate a little more on what the end goals for your policies are? Are you looking to apply policy to students vs teachers, bandwidth abusers, policy breaking users, members of different departments...?

 

At this time, it is not possible to assign group policy to specific G suite users, but depending on what you are trying to do, you might be able to get away with using per VLAN policy, per device type policy, manual assignment or even SM to achieve your end goals.

 

Relevant KBs:

https://documentation.meraki.com/MX-Z/Group_Policies_and_Blacklisting/Creating_and_Applying_Group_Po...

https://documentation.meraki.com/MX-Z/Group_Policies_and_Blacklisting/Integrating_Active_Directory_w...

 

amacleod
Comes here often

Hi,

 

I was hoping to setup certain users, who authenticate using their G Suite user credentials, with scheduled access. However, they often use multiple devices so I was wondering if I could setup the group policy on their G Suite username rather than on their specific devices as this will make it a lot less time consuming to setup.

 

I know I can do it as a device policy but was looking for a more time efficient way to do it!

RodrigoC
Meraki Employee
Meraki Employee

/Gotcha.

 

At this time the only way to apply group policy to specific users would be though Active Directory.  /:

 

That being said, you might be able to make the process a lot less time-consuming with one of the following options:

 

1) Use Sentry Policy (SM enrolled devices only): If your devices are enrolled in SM you can give users specific tags and apply group policy to an SM tag. Again, this would require SM enrollment for the devices in question [Relevant KB]

 

2) Apply Policy to Specific VLANs: If you use separate SSIDs and VLANs for the users you want to have on a schedule, you can apply the group policy to the entire VLAN rather than user-by-user. For example, having a Teachers/Faculty VLAN and a Students/Visitors VLAN means you can apply scheduling to the Students/Visitors VLAN without having to apply the policy to all students manually. [Relevant KB]

 

3) Apply Policy by Device Type: If all students are given Chromebooks (for example) and you want to limit student access at specific times, you can apply group policy to any Chromebook that connects. [Relevant KB]

 

 

The viability of these options varies depending on what devices/users you are looking to regulate.

RodrigoC
Meraki Employee
Meraki Employee

Opps... I forgot to mention a 4th option.

 

If the number of users exempt from the schedule restriction is smaller than the group of users bound by the schedule is smaller, you can set the schedule to be the default policy for your network and then manually whitelist users that are exempt. For example, if you are looking to enforce a schedule for 200 students and leave 20 teachers with unrestricted access, you set the schedule as default policy and then manually exempt the teachers' devices. This would result in ~20 manual policy entries rather than 200+. 

 

 

Once again, I hope this helps! 😃

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels