Meraki

Community

IPSK without radius Group Policies

Sdot1
New here
‎May 16 2023 2:24 PM
‎May 16 2023 2:24 PM

IPSK without radius Group Policies

I created a SSID that uses IPSK without radius. I created 3 IPSK groups tied to 3 group policies. Each group assigns a different vlan. I want to ensure that a client cannot switch networks if they know the PSK of a different group.


If I manually add clients to groups via the dashboard will they be able to hop to a different group simply by knowing the password of another group?


During testing II manually added a client to Group A via the dashboard. I was still able to connect to the SSID if I use the password from group B, but the client IP stays on the network for Group A.

If I hover over the clients under Network wide> Group Policies Group A says "set via dashboard, group B says "set via 802.1x. What's the behavior for this? Will clients manually set via the dashboard take precedence?

0 Kudos
4 Replies 4
PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 16 2023 2:27 PM
‎May 16 2023 2:27 PM

For iPSK, if they know the password for another SSID, they can join it.

 

You could need to create another group policy with a VLAN override and assign it directly to the client.  They would still be able to connect using other PSKs if they knew them, but they would always be dropped into the same VLAN.

a5it
Getting noticed
‎May 16 2023 5:01 PM
‎May 16 2023 5:01 PM

When you manually map a client to an Identity PSK (IPSK) group using the dashboard, the client will be tied to the group policy (and corresponding VLAN) of that group, regardless of which pre-shared key (PSK) they use to connect.

 

So, to answer your question, even if a client knows the PSK of a different group, they would still be tied to the group to which they were manually assigned in the dashboard. They would not be able to "hop" to a different VLAN simply by using a different PSK.

 

The behavior you observed during your testing – where you were able to connect using the PSK from Group B, but still received an IP from the network for Group A – aligns with this.

 

As for the "set via dashboard" and "set via 802.1x" notations you're seeing, this is indicating how the group policy was applied to the client. "Set via dashboard" indicates that you manually assigned the client to the group via the dashboard, while "set via 802.1x" indicates that the group policy was applied based on the 802.1x authentication process.

 

In this setup, a manually assigned group policy via the dashboard will take precedence over one assigned through 802.1x authentication. So, even if a client connects using a different PSK, the group policy and VLAN assignment they get will be the one you set manually via the dashboard.

Always remember to save and apply any changes you make in the dashboard, and it may take a few moments for changes to propagate through the system. For testing purposes, you might also need to disconnect and reconnect clients to ensure they're receiving the correct group policy and VLAN assignment.

0 Kudos
alemabrahao
Kind of a big deal
Kind of a big deal
‎May 16 2023 6:04 PM
‎May 16 2023 6:04 PM

It's exactly what @PhilipDAth said.

 

@a5it is using ChatGPT for give all answers. 🤣

 

If it's possible, with Cisco ISE you have more flexibility.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Sdot1
New here
‎May 17 2023 2:58 PM
‎May 17 2023 2:58 PM

Thanks for the replies. @PhilipDAth . Can you elaborate on "create another group policy with a VLAN override and assign it directly to the client"  My current Group Policies tied to each IPSK group already have separate VLANs assigned to each group. Is that what you're referring to? If I assign that GP directly to a client does that achieve the same result?

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.