Rebuilding our Wifi Networks

Solved
DerikA
Getting noticed

Rebuilding our Wifi Networks

I am implementing new SSIDs with proper security to replace a patchwork and insecure wireless "solution" I inherited and am wondering if anyone has any input or recommendations.

 

Background:

My company has patchwork wifi solutions in place including, a Cisco 2405 with 3 SSIDs supporting 2 locations, a scattering of eero home-style mess network devices providing "guest" type access and then about 20 Meraki networks with wireless (these are typically a "mixed" network with MX, MS and MR devices). There is overlap of all 3 solutions in various locations. There is also a mix of SSID throughout the company requiring different PSK. (General nightmare)

 

Generally we have a guest and an employee network that allow access via a PSK that has been in use for 10+ years.

 

Devices are a mix of laptops (domain and non-domain), end user smart phones and work provided tablets and handhelds. Of course many of the devices and non-domain computers needs access to specific network resources.

 

My plan:

  1. Replace all non-Meraki solutions with MR access points and consolidate all SSIDs to 3 or 4 that span the entire company.
  2. Build an SSID that will use RADIUS authentication for all the work computers and use Active Directory to deploy the PEAP wifi profile to all the PC so users wont have to sign into the wireless on their computers. This will be a hidden SSID.
  3. Create a guest network that will be isolated from the LAN and have a splash page with a usage agreement to click through. This SSID will require daily renewal via the splash page.
  4. Create an "employee" SSID that will provide internet only for all personal phones, non-domain laptops and other handhelds that do not need network access using RADIUS to authenticate and be isolated from the LAN.

I am open to any suggestions for any item but here is where I primarily would like some input:

 

My options for providing access to resources on the production network for devices that are non-domain are:

  1. Create group policies in Meraki that tie to an Active Directory sign-on's to allow to specific server resources when on the "employee" SSID. (easy)
  2. Create group policies in Meraki that I would then apply to specific devices to allow specific server resources to devices on the "Guest" SSID and bypasses the splash page. (not as easy but more secure?)
  3. Create a 4th SSID for any devices that need access to server resources, isolate them from the LAN and make specific firewall rules for access to resources. Meraki group policies could be use here as well. (I prefer to have as few SSID as possible though)
  4. Other options?

Looking for any real life examples, recommendations or warnings any of you may have.


Thanks!


DerikA

 

1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal

>Create group policies in Meraki that I would then apply to specific devices to allow specific server resources to devices on the "Guest" SSID and bypasses the splash page. (not as easy but more secure?)

 

I tend to do this, and also use the option to put the device into a different VLAN.

 

You could also take a look at Trusted Access.

https://documentation.meraki.com/zGeneral_Administration/Cross-Platform_Content/Trusted_Access_for_S... 

View solution in original post

4 Replies 4
kYutobi
Kind of a big deal

@DerikA seems to me you got a pretty good setup. Now I'm sure my other All Star colleagues will chime in on a few things if needed but that seems like a very simple setup to convert to. 😁 

Enthusiast
PhilipDAth
Kind of a big deal
Kind of a big deal

>Create group policies in Meraki that I would then apply to specific devices to allow specific server resources to devices on the "Guest" SSID and bypasses the splash page. (not as easy but more secure?)

 

I tend to do this, and also use the option to put the device into a different VLAN.

 

You could also take a look at Trusted Access.

https://documentation.meraki.com/zGeneral_Administration/Cross-Platform_Content/Trusted_Access_for_S... 

DerikA
Getting noticed

@PhilipDAth I've looked at this option and would very much like to use more policy based access but unfortunately SM is not in our budget.

 

I have been leaning to group policies applied to the individual devices.

 

Question, would putting them in a separate VLAN be needed if I am using NAT mode which restricts clients from communicating with each other?

 

Thanks!

PhilipDAth
Kind of a big deal
Kind of a big deal

>Question, would putting them in a separate VLAN be needed if I am using NAT mode which restricts clients from communicating with each other?

 

Typically you set guest wifi so it can't talk to anything internally.  So if you have a device that needs to talk to something internally and you want to keep your SSID count low, it is best to put that into a different VLAN rather than modifying the guest firewall rules to allow a specific IoT device access to something.  Also if you do put it in a guest VLAN it means guest can try and talk to it.

I often use an IoT VLAN these days, especially for this purpose.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels