Meraki

Community

Mixed Mode SSID

Solved
DevOps_RC
Building a reputation
‎Jun 29 2023 2:42 AM
‎Jun 29 2023 2:42 AM

Mixed Mode SSID

I'm trying to reduce the number of SSIDs that our company utilises. We are in the process of deploying a new ISE service, and so we should be able to combine 4 SSIDs into one, by getting ISE to assign the relevant local VLAN that clients should breakout on depending on the domain/user/group that is authenticating.

However, that still leaves a few SSIDs which either authenticate using passphrases or need to breakout centrally at an MX appliance.

Is there anyway to have an SSID which can breakout both locally on a vlan and centrally at an MX depending on either authentication or device type or by TAG associated with the AP the devices are connecting to?

 

0 Kudos
1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jun 29 2023 1:23 PM
‎Jun 29 2023 1:23 PM

>Is there anyway to have an SSID which can breakout both locally on a vlan and centrally at an MX

 

I'm 99% sure the answer is no.  The SSID must either be configured for tunnelling to an MX, or not.  It is not a setting done per client.

View solution in original post

5 Replies 5
alemabrahao
Kind of a big deal
‎Jun 29 2023 4:25 AM
‎Jun 29 2023 4:25 AM

You can create policies in ISE to assign different VLANs. This will depend on how you configure the politics of course. This example is for the Catalyst 9800, but you can reproduce it for Meraki.
 
This is something that depends more on ISE than Meraki itself.

 

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/216130...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jun 29 2023 1:23 PM
‎Jun 29 2023 1:23 PM

>Is there anyway to have an SSID which can breakout both locally on a vlan and centrally at an MX

 

I'm 99% sure the answer is no.  The SSID must either be configured for tunnelling to an MX, or not.  It is not a setting done per client.

In response to PhilipDAth
TBHPTL
Head in the Cloud
‎Jun 30 2023 8:46 AM
‎Jun 30 2023 8:46 AM

have your RADIUS server return the filter-id attribute which will correspond with  the name  of a locally defined group policy that is configured on the Meraki network. You can perform wireless VLAN overrides and traffic shaping,  L3 and L7 FW rules in this manner, all locally. For your central MX you can define the group policy and manually bind that policy to the interface.

0 Kudos
In response to TBHPTL
DevOps_RC
Building a reputation
‎Jul 3 2023 12:29 AM
‎Jul 3 2023 12:29 AM

Thanks for the information, but just to make sure I'm not misunderstanding, the group policy itself will not determine whether the client should breakout locally from the SSID or tunnel back to the MX, it only sets the local vlan override, L3/7 FW and traffic shaping.

If that is the case, then I guess @PhilipDAth can change his 99% too 100%. 🙂

Thanks all for the responses. I'd raise a feature request but suspect I'd be the only client requesting it.

0 Kudos
In response to DevOps_RC
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jul 3 2023 3:03 PM
‎Jul 3 2023 3:03 PM

> the group policy itself will not determine whether the client should breakout locally from the SSID or tunnel back to the MX, it only sets the local vlan override, L3/7 FW and traffic shaping.

 

That is the case.

li.common.scroll-to.top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.