Meraki WPN - specific use case

Solved
JacekJ
Building a reputation

Meraki WPN - specific use case

This post has two goals - share a unconventional use of WPN and also ask a small question at the end 😉

 

I have a very specific case, where a guest network has the same SSID across many sites/locations of the company, but different passwords (legacy reasons).

The issue is that if people travel between sites they need to constantly remove profiles and change the passwords which is just a pain.

 

So I figured, that we could leverage the WPN function (https://documentation.meraki.com/MR/Encryption_and_Authentication/Wi-Fi_Personal_Network_(WPN)) in the following way:

- switch the existing guest SSID to the "identity PSK without RADIUS" mode

- add a separate profile for each password that we know that is used in all sites

- create a dummy group policy (you are forced to assign it) that changes absolutely nothing and assign it to all profiles

 

This works just flawlessly, we have clients coming in from different sites and they just get connected.

This is a guest network so the WP2 limit doesn't hurt as much, but one issue I have is that the clients within one profile can see each other in the network (I know this is by design), but maybe there is a way to separate them?

Any ideas?

1 Accepted Solution

This does not work with WPN because WPN encapsulates the traffic with GUE specifically for the purpose of allowing intercommunication with devices that have identical WPN IDs.

TBHPTL_0-1687922086092.png

 

View solution in original post

8 Replies 8
ChristophJ
Here to help

You could use the "Layer 2 LAN isolation" feature if you're bridging the guest Wi-Fi to a VLAN.
It's under Wireless -> Firewall & traffic shaping


Documented here:

https://documentation.meraki.com/MR/Firewall_and_Traffic_Shaping/Wireless_Client_Isolation


Not sure if it works with the iPSK feature, I haven't been able to test it in my environment because we tunnel our SSID to a guest concentrator.

This does not work with WPN because WPN encapsulates the traffic with GUE specifically for the purpose of allowing intercommunication with devices that have identical WPN IDs.

TBHPTL_0-1687922086092.png

 

PhilipDAth
Kind of a big deal
Kind of a big deal

I think the only way to prevent WPN clients from seeing each other is to have them use a separate iPSK.

 

WPN already uses layer 3 LAN isolation for each group, and you can't further apply it per client.

JacekJ
Building a reputation

I wonder if I would add a firewall rule in the group policy preventing access from the local subnet.

Lets say the guest subnet is 192.168.0.0/24, I would add an DENY for the 192.168.0.0/24 and before that add an allow for the gateway.

I don't see why this wouldn't work, but maybe I'm missing something obvious?

TBHPTL
A model citizen

Time to update the legacy policy and match your passphrase at each site and then you can do standard bridge mode with L2 isolation enabled. Update your passphrase on an ongoing  and routine basis since WPA2-PSK is busted ...or go WPA3-SAE from jump street.

JacekJ
Building a reputation

Fully aware of that, just wanted to point our that WPN can be used to cover a scenario which some of us might have.

TBHPTL
A model citizen

I like your use case.  The flexibility that Cisco Meraki provides is what makes their product offering so  desirable.. Was thinking that although you cant have L2 iso with a shared PSK you could use the differing passphrases for each PSK for each "office" with a VLAN override and limit the exposure to those from the same office while using L3 rules to allow access to other service on the "resident" network/VLANS.

 

JacekJ
Building a reputation

You don't need to apply different vlans for different passphrases, they are separated from each other already, its by design.

Think about the WPN as a perfect solution for hotels where every room gets their different password. Now for example a chromecast that you would connect to the TV, or the built in smart TV would be visible for all devices that use the same password.

In normal circumstances this is not possible when you use an client isolation.

Get notified when there are additional replies to this discussion.