Meraki

Community

Meraki WPN - specific use case

Solved
JacekJ
Building a reputation
‎Jun 23 2023 2:03 AM
‎Jun 23 2023 2:03 AM

Meraki WPN - specific use case

This post has two goals - share a unconventional use of WPN and also ask a small question at the end 😉

 

I have a very specific case, where a guest network has the same SSID across many sites/locations of the company, but different passwords (legacy reasons).

The issue is that if people travel between sites they need to constantly remove profiles and change the passwords which is just a pain.

 

So I figured, that we could leverage the WPN function (https://documentation.meraki.com/MR/Encryption_and_Authentication/Wi-Fi_Personal_Network_(WPN)) in the following way:

- switch the existing guest SSID to the "identity PSK without RADIUS" mode

- add a separate profile for each password that we know that is used in all sites

- create a dummy group policy (you are forced to assign it) that changes absolutely nothing and assign it to all profiles

 

This works just flawlessly, we have clients coming in from different sites and they just get connected.

This is a guest network so the WP2 limit doesn't hurt as much, but one issue I have is that the clients within one profile can see each other in the network (I know this is by design), but maybe there is a way to separate them?

Any ideas?

0 Kudos
1 Accepted Solution
In response to ChristophJ
TBHPTL
A model citizen
‎Jun 27 2023 8:15 PM
‎Jun 27 2023 8:15 PM

This does not work with WPN because WPN encapsulates the traffic with GUE specifically for the purpose of allowing intercommunication with devices that have identical WPN IDs.

TBHPTL_0-1687922086092.png

 

View solution in original post

0 Kudos
8 Replies 8
ChristophJ
Here to help
‎Jun 23 2023 7:29 AM
‎Jun 23 2023 7:29 AM

You could use the "Layer 2 LAN isolation" feature if you're bridging the guest Wi-Fi to a VLAN.
It's under Wireless -> Firewall & traffic shaping


Documented here:

https://documentation.meraki.com/MR/Firewall_and_Traffic_Shaping/Wireless_Client_Isolation


Not sure if it works with the iPSK feature, I haven't been able to test it in my environment because we tunnel our SSID to a guest concentrator.

0 Kudos
In response to ChristophJ
TBHPTL
A model citizen
‎Jun 27 2023 8:15 PM
‎Jun 27 2023 8:15 PM

This does not work with WPN because WPN encapsulates the traffic with GUE specifically for the purpose of allowing intercommunication with devices that have identical WPN IDs.

TBHPTL_0-1687922086092.png

 

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jun 25 2023 12:54 PM
‎Jun 25 2023 12:54 PM

I think the only way to prevent WPN clients from seeing each other is to have them use a separate iPSK.

 

WPN already uses layer 3 LAN isolation for each group, and you can't further apply it per client.

0 Kudos
In response to PhilipDAth
JacekJ
Building a reputation
‎Jun 26 2023 2:13 AM
‎Jun 26 2023 2:13 AM

I wonder if I would add a firewall rule in the group policy preventing access from the local subnet.

Lets say the guest subnet is 192.168.0.0/24, I would add an DENY for the 192.168.0.0/24 and before that add an allow for the gateway.

I don't see why this wouldn't work, but maybe I'm missing something obvious?

0 Kudos
TBHPTL
A model citizen
‎Jun 27 2023 8:22 PM
‎Jun 27 2023 8:22 PM

Time to update the legacy policy and match your passphrase at each site and then you can do standard bridge mode with L2 isolation enabled. Update your passphrase on an ongoing  and routine basis since WPA2-PSK is busted ...or go WPA3-SAE from jump street.

0 Kudos
In response to TBHPTL
JacekJ
Building a reputation
‎Jun 27 2023 11:10 PM
‎Jun 27 2023 11:10 PM

Fully aware of that, just wanted to point our that WPN can be used to cover a scenario which some of us might have.

0 Kudos
In response to JacekJ
TBHPTL
A model citizen
‎Jun 28 2023 11:34 AM
‎Jun 28 2023 11:34 AM

I like your use case.  The flexibility that Cisco Meraki provides is what makes their product offering so  desirable.. Was thinking that although you cant have L2 iso with a shared PSK you could use the differing passphrases for each PSK for each "office" with a VLAN override and limit the exposure to those from the same office while using L3 rules to allow access to other service on the "resident" network/VLANS.

 

0 Kudos
In response to TBHPTL
JacekJ
Building a reputation
‎Jul 6 2023 6:21 AM
‎Jul 6 2023 6:21 AM

You don't need to apply different vlans for different passphrases, they are separated from each other already, its by design.

Think about the WPN as a perfect solution for hotels where every room gets their different password. Now for example a chromecast that you would connect to the TV, or the built in smart TV would be visible for all devices that use the same password.

In normal circumstances this is not possible when you use an client isolation.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.