Meraki

Community

IPSK VLAN Tagging?

Solved
Adrian4
Head in the Cloud
‎Apr 17 2023 8:01 AM
‎Apr 17 2023 8:01 AM

IPSK VLAN Tagging?

Hello,

 

I'm a little confused about the VLAN tagging on IPSK and couldn't find an answer in a guide anywhere.

 

We are not using radius and have several different identities defines in group policy. Each identity has a different VLAN assigned in the Group policy (the AP's connect to trunks ports with all VLANs allowed). 

Where I'm getting confused is on the Access control config page of the IPSK - at the bottom is a section for VLAN tagging. It can be enabled or disabled, and if enabled there's a box for AP tags and an VLAN number.

 

What is this section for? It looks like your assigning VLANs according to AP tag rather than a VLAN set per identity?
Is this not really meant to be used with non-radius setups? Would it override a Group Policy VLAN setting? 

 

If I disabled VLAN tagging, will the different identities with their different VLANs (set in GP) still be tagged correctly?

Thanks!

0 Kudos
1 Accepted Solution
Adrian4
Head in the Cloud
‎Apr 18 2023 3:44 AM
‎Apr 18 2023 3:44 AM

In the end I enabled SSID level tagging but just with a default so I don't think its being used as all the GP's have specific VLANS.

 

Seems to be working ok like this 😄

 

cheers!

View solution in original post

0 Kudos
10 Replies 10
GreenMan
Meraki Employee
Meraki Employee
‎Apr 17 2023 8:11 AM
‎Apr 17 2023 8:11 AM

You need to use VLAN tagging.   Assuming you're talking about iPSK without RADIUS, the key your client uses should match to one of the iPSKs you define.  The client will be placed in the configured (default) VLAN under 'VLAN tagging' - by tagging the relevant frames from that client.   With no tagging, how are the clients using different keys kept logically separate?

You would only add another VLAN ID if you wanted such clients to be placed in a different VLAN, when associating through a different AP  (one you've applied the relevant AP tag to).   Most customers will simply want to use one (the Default) VLAN, to keep things simpler.

In response to GreenMan
Adrian4
Head in the Cloud
‎Apr 17 2023 8:21 AM
‎Apr 17 2023 8:21 AM

When you define the Group policy, there is a place to define the VLAN for that policy.

Say I have a iPSK name "WiFiNetwork"
Under access control I can add multiple different identities, each with a different password,  and then assign each a different Group Policy (which in turn have different VLANS).

Then at the bottom of the Access control page for WIFINetwork, is the VLAN tagging section - you are saying that this should be turned on?

Adrian4_0-1681744946929.png

 




0 Kudos
In response to Adrian4
GreenMan
Meraki Employee
Meraki Employee
‎Apr 17 2023 8:28 AM
‎Apr 17 2023 8:28 AM

You have the option of defining the VLAN within either the Group Policy or (if undefined in the GP) on the SSID.   Either way, you will need the switch port to be a trunk, with the necessary VLANs enabled.

In response to GreenMan
Adrian4
Head in the Cloud
‎Apr 17 2023 8:30 AM
‎Apr 17 2023 8:30 AM

ah I see, so if using GP then its fine to leave tagging disabled in the SSID Access control settings?

0 Kudos
In response to Adrian4
GreenMan
Meraki Employee
Meraki Employee
‎Apr 17 2023 8:33 AM
‎Apr 17 2023 8:33 AM

Should be...   did you try it?

0 Kudos
In response to GreenMan
Adrian4
Head in the Cloud
‎Apr 17 2023 8:42 AM
‎Apr 17 2023 8:42 AM

To begin with it was enabled with just a default VLAN set, as well as GP and we have some handheld devices that wouldn't connect.

I turned off the SSID tagging, leaving the VLANs up to the GP - but apparently it still doesn't work.
I am going to go and test it myself in the morning.

0 Kudos
In response to Adrian4
GreenMan
Meraki Employee
Meraki Employee
‎Apr 17 2023 8:45 AM
‎Apr 17 2023 8:45 AM

OK - any trouble, call up Meraki Support on the phone...

0 Kudos
Ryan_Miles
Meraki Employee
Meraki Employee
‎Apr 17 2023 9:43 AM
‎Apr 17 2023 9:43 AM

VLAN tagging can be left disabled at the SSID level. The VLAN tag in the IPSK GP will still work.

Ryan

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
GreenMan
Meraki Employee
Meraki Employee
‎Apr 17 2023 10:15 AM
‎Apr 17 2023 10:15 AM

@Adrian4    Looking back at my initial reply, when I said you need VLAN tagging, I was referring to the physical switch to which the APs are connected (i.e. they need to be configured as trunks).   Sorry for any confusion caused...

Adrian4
Head in the Cloud
‎Apr 18 2023 3:44 AM
‎Apr 18 2023 3:44 AM

In the end I enabled SSID level tagging but just with a default so I don't think its being used as all the GP's have specific VLANS.

 

Seems to be working ok like this 😄

 

cheers!

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.