Mixed Mode SSID

Solved
DevOps_RC
Getting noticed

Mixed Mode SSID

I'm trying to reduce the number of SSIDs that our company utilises. We are in the process of deploying a new ISE service, and so we should be able to combine 4 SSIDs into one, by getting ISE to assign the relevant local VLAN that clients should breakout on depending on the domain/user/group that is authenticating.

However, that still leaves a few SSIDs which either authenticate using passphrases or need to breakout centrally at an MX appliance.

Is there anyway to have an SSID which can breakout both locally on a vlan and centrally at an MX depending on either authentication or device type or by TAG associated with the AP the devices are connecting to?

 

1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal

>Is there anyway to have an SSID which can breakout both locally on a vlan and centrally at an MX

 

I'm 99% sure the answer is no.  The SSID must either be configured for tunnelling to an MX, or not.  It is not a setting done per client.

View solution in original post

5 Replies 5
alemabrahao
Kind of a big deal
Kind of a big deal

You can create policies in ISE to assign different VLANs. This will depend on how you configure the politics of course. This example is for the Catalyst 9800, but you can reproduce it for Meraki.
 
This is something that depends more on ISE than Meraki itself.

 

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/216130...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
PhilipDAth
Kind of a big deal
Kind of a big deal

>Is there anyway to have an SSID which can breakout both locally on a vlan and centrally at an MX

 

I'm 99% sure the answer is no.  The SSID must either be configured for tunnelling to an MX, or not.  It is not a setting done per client.

TBHPTL
A model citizen

have your RADIUS server return the filter-id attribute which will correspond with  the name  of a locally defined group policy that is configured on the Meraki network. You can perform wireless VLAN overrides and traffic shaping,  L3 and L7 FW rules in this manner, all locally. For your central MX you can define the group policy and manually bind that policy to the interface.

DevOps_RC
Getting noticed

Thanks for the information, but just to make sure I'm not misunderstanding, the group policy itself will not determine whether the client should breakout locally from the SSID or tunnel back to the MX, it only sets the local vlan override, L3/7 FW and traffic shaping.

If that is the case, then I guess @PhilipDAth can change his 99% too 100%. 🙂

Thanks all for the responses. I'd raise a feature request but suspect I'd be the only client requesting it.

PhilipDAth
Kind of a big deal
Kind of a big deal

> the group policy itself will not determine whether the client should breakout locally from the SSID or tunnel back to the MX, it only sets the local vlan override, L3/7 FW and traffic shaping.

 

That is the case.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels