JumpCloud LDAP to Meraki Group Policy?

Solved
ngaibut
Conversationalist

JumpCloud LDAP to Meraki Group Policy?

Hi there,

 

We're currently testing out using JumpCloud LDAP with Meraki. We've got our SSID set up and we can authenticate and everything is great but we want to be able to do a bit more and are wondering the following.

 

Is it possible to have Meraki see what LDAP groups a user is authenticating on the Meraki LDAP splash page and then be able to take that info to auto put that device that just got auth'd into a specific group policy in Meraki?

 

To rephrase to what I'm trying to accomplish here, can we apply a specific group policy to a device based on what LDAP user authenticated to connect?

 

Thanks!

1 Accepted Solution
BenGarrison
Conversationalist

Hello, Ben from JumpCloud

 

We were speaking on the JumpCloud Slack lounge, and it looks like we were able to almost get there. 

 

  1. You need to follow the documentation here. The main difference here is not to use your public IP address.. but the IP address for your Dashboard IP. You might have to use traceroute or ping in order to get this. 
  2. You also need to make sire that "Filter-ID" is set as this can be consumed when receiving the Access-Accept reply from the JC Radius. You will then need to configure the reply attribute in your JumpCloud server with Filter-ID: nameOfPolicy.

 

We could not complete the integration however so this is not a complete solution at this time. The main reason is because the Filter-ID matching is currently in beta and we need to wait for meraki support to possibly enable it for this tenant. Once it has been enabled, we can continue to test and verify functionality properly. 

View solution in original post

7 Replies 7
PhilipDAth
Kind of a big deal
Kind of a big deal

BlakeRichardson
Kind of a big deal
Kind of a big deal

@ngaibut  As mentioned you do that using Radius, below is a screenshot from Jumpcloud showing where you add Radius attributes to groups. The one Meraki seems to use "Aruba-User-Role" as its group attribute option. As long as you create a group policy with the exact same name as what you specify in Jumpcloud it will work. 

 

Screen Shot 2022-05-19 at 10.58.09 AM.png

 

 

Screen Shot 2022-05-19 at 10.59.33 AM.pngScreen Shot 2022-05-19 at 10.59.53 AM.png

 

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
ngaibut
Conversationalist

Thanks both for the insights! @BlakeRichardson Thanks for the specifics on the JumpCloud side too. 

 

Follow up question: 

 

We did experiment with JumpCloud Radius too and that worked well. We preferred the UI for LDAP because it allowed us to customize the splash screen with some additional instructions/clarifications whereas with Radius, it uses the native macOS/Windows dialogs for username and password entry which could be overcome with user education but was confusing to users in general for us.

 

Is there an option to do Radius using JumpCloud with a splash page for the authentication and we could push out the certificate via our MDM? I imagine I might be getting the weeds here and this might also be a JumpCloud limitation.

 

Thank you!

BenGarrison
Conversationalist

Hello, Ben from JumpCloud

 

We were speaking on the JumpCloud Slack lounge, and it looks like we were able to almost get there. 

 

  1. You need to follow the documentation here. The main difference here is not to use your public IP address.. but the IP address for your Dashboard IP. You might have to use traceroute or ping in order to get this. 
  2. You also need to make sire that "Filter-ID" is set as this can be consumed when receiving the Access-Accept reply from the JC Radius. You will then need to configure the reply attribute in your JumpCloud server with Filter-ID: nameOfPolicy.

 

We could not complete the integration however so this is not a complete solution at this time. The main reason is because the Filter-ID matching is currently in beta and we need to wait for meraki support to possibly enable it for this tenant. Once it has been enabled, we can continue to test and verify functionality properly. 

ngaibut
Conversationalist

Thanks to the help from @BenGarrison . We were able to get this to work. 

 

We had to submit a ticket to Meraki to have them enable the "Filter-ID RADIUS attribute with a group policy for sign-on splash" feature as referenced in this article. Once the feature is enabled, in JumpCloud, we created a new RADIUS attribute in the user group where the user group is bound to RADIUS. 

 

The RADIUS attribute name is "Filter-ID" and the RADIUS attribute value would be the same name as the group policy that would be getting applied on those machines on the Meraki side. 

 

The important bit here is that in JumpCloud, when setting up the RADIUS server, the IP address that you want to use is the Meraki Dashboard IP, which @BenGarrison references. We got our IP address by pinging our instance of the Meraki dashboard https://n###.meraki.com

 

Once you plug in all the right settings, we could see our device authing with RADIUS on the splash page and then automatically getting assigned the group policy in Meraki!

BlakeRichardson
Kind of a big deal
Kind of a big deal

@BenGarrison Welcome, we have spoken a few times on the Jumpcloud community so nice to see you here as well. 

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
BenGarrison
Conversationalist

Thanks Blake! I have always monitored, just never posted really. Hope to help where I can!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels