SSID Tunneling Supported Security and VLAN Tagging Methods

Solved
Andrew_Williams
Here to help

SSID Tunneling Supported Security and VLAN Tagging Methods

Hi Team, does anyone have experience with SSID tunneling (MX as a concentrator). Wanted to know if the following security methods are supported:
 
  1. Enterprise Authentication with Radius Server (NPS) doing VLAN association
  2. IPSK without Radius doing VLAN tagging on a group policy?
Essentially looking to extend VLANs and IP addressing from the Head Office to a Branch Site
1 Accepted Solution

Andrew I can answer the IPSK question. I just tested and the client does indeed honor the VLAN sent in the Group Policy when using IPSK. I would imagine a VLAN sent via RADIUS would also work fine.

Ryan / Meraki Solutions Engineer

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.

View solution in original post

10 Replies 10
alemabrahao
Kind of a big deal
Kind of a big deal

Take a look at the documentation.

 

https://documentation.meraki.com/MR/Client_Addressing_and_Bridging/SSID_Tunneling_and_Layer_3_Roamin...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Andrew_Williams
Here to help

Hi @alemabrahao  thanks for your help. 

 

I have reviewed the documentation and I know it infers that Radius authentication works with VPN concentrator mode but I'd like to confirm with the experience of others that there are no issues with honoring the VLAN from the Radius server. 

 

Additionally it doesn't mention IPSK without Radius and VLAN tagging through a group policy so I'm seeking clarification there as well. 

You can perform a LAB to confirm. 😉

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

If I had that option perhaps I wouldn't have posted on this forum asking for clarification 😉

Andrew I can answer the IPSK question. I just tested and the client does indeed honor the VLAN sent in the Group Policy when using IPSK. I would imagine a VLAN sent via RADIUS would also work fine.

Ryan / Meraki Solutions Engineer

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.

FANTASTIC! Thanks Ryan! You're awesome and I really appreciate you testing it in such a short time.

Just tested using JumpCloud RADIUS and the VLAN attribute is also honored/working.

Ryan / Meraki Solutions Engineer

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.

Thanks again Ryan.

 

Just to confirm, for the Client and VLAN settings on the SSID we're leaving the VLAN tag unselected right? 

 

Andrew_Williams_0-1685551761736.png

 

In my lab the MX is concentrator mode. So not a interface dropdown, but rather an open field to type a non default/native VLAN ID. But I don't think the behavior would be any different.

 

In my usual setup I have the tunneled SSID drop clients into VLAN 600 (a DMZ subnet).

 

In my testing this morning I added VLAN 90 to the switchport connected to my MX. Then for the IPSK and RADIUS tests I set VLAN 90 as the VLAN tag (IPSK) /Tunnel-Private-Group-ID attribute (RADIUS). For the RADIUS config you of course need to enable the toggle for RADIUS override for the VLAN tagging to work.

Ryan / Meraki Solutions Engineer

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.

Perfect. Thanks Ryan you're a godsend!

Get notified when there are additional replies to this discussion.