Hi,
We are looking to overhaul our wireless and encorporate what is currently three SSID's in to one seamless network that is to be used by guests and staff.
However, we want to still keep guests seperate from the staff and have different policies assigned to them. We are hoping to use the AD authentication on this network so that staff can login and use the wireless with their own credentials rather than a set OTP.
Is it possible to have a 'Continue as Guest' on the login page, or would a guest account need creating on AD? If the latter is true, then I think having a seperate guest SSID would be easiest. The only issue being that staff may just use the guest network to save them having to type in any details.
I look forward to hearing any input.
Many thanks
Solved! Go to solution.
I've included pics of the settings below followed by great Meraki and Microsoft documentation on this process.
I actually have two NPS servers (just for failover purposes and no single point of failure) hearing the requests and load balancing and then three actual RADIUS server roles on three other servers processing the requests for loading balancing at (34%, 33%, 33%).
Documentation in no particular order:
https://technet.microsoft.com/en-us/library/cc730866(v=ws.10).aspx
https://technet.microsoft.com/en-us/library/Cc772591(v=WS.10).aspx
https://technet.microsoft.com/en-us/library/cc731824(WS.10).aspx
https://technet.microsoft.com/en-us/library/Dd197433(v=WS.10).aspx
https://technet.microsoft.com/en-us/library/cc725658(v=ws.10).aspx
i would make a seperate guest ssid, deny access to local lan, rate limit the connection and add content filters.
no employee would connect that guest network.
This is very easy to do. Setup a default VLAN for data and another VLAN for your guest wireless SSID. Then create your 2 separate SSIDs and under the guest one, tell it to use VLAN tagging. IN the drop down, select the VLAN you want. I use 4, but you can number it whatever you feel like. Also, add a firewall run denying the guest subnet any access from any port to the main SSID network. You can add an exemption if you want if there's a printer for example, but I generally don't. With the Merakis, it's really easy 🙂
HI @Jake
I wouldn't do that. Setup one SSID for staff and use WPA2-Enterprise mode. Every user and machine is authenticated using their AD credentials. There are no splash pages - staff get in without having to think.
Then for guest create a splash page.
Hi Philip,
Unfortunately, setting up a RADIUS server that communicates with AD is not an option, so we would have to use the LDAP method through a splash page.
Many thanks,
Jake
I've looked into this but am I right in saying this would make Meraki group policy assignment by user groups on AD impossible?
This was an important feature for us that I know is available to use with the splash page. Is is possible to implement this with WPA2-Enterprise?
Thanks
Hi,
we use Cisco ISE as an radius server. The ISE is connected to the Microsoft AD and the Meraki WLAN is connected to the ISE.
Once a user wants to connect to the internal SSID the ISE checks if the device is allowed to go to the internal LAN (it´s checked if windows devices have an certificate and if the useres connecting with their AD account to the SSID). If the device is not allowed to the internal LAN it will placed to the "external" (V-)LAN for internet connect.
Guests will connect to an Guest-SSID with frequent changing preshared keys routet dirctly to an external VLAN for internet access.
regards
redsector
Maybe you'll get some ideas from this...
At any given time, I have at most 3 SSID's being offered. I'll define them below:
Below is each splash page followed by their scheduled availability:
I've included pics of the settings below followed by great Meraki and Microsoft documentation on this process.
I actually have two NPS servers (just for failover purposes and no single point of failure) hearing the requests and load balancing and then three actual RADIUS server roles on three other servers processing the requests for loading balancing at (34%, 33%, 33%).
Documentation in no particular order:
https://technet.microsoft.com/en-us/library/cc730866(v=ws.10).aspx
https://technet.microsoft.com/en-us/library/Cc772591(v=WS.10).aspx
https://technet.microsoft.com/en-us/library/cc731824(WS.10).aspx
https://technet.microsoft.com/en-us/library/Dd197433(v=WS.10).aspx
https://technet.microsoft.com/en-us/library/cc725658(v=ws.10).aspx