Meraki

Community

SSID Tunneling Supported Security and VLAN Tagging Methods

Solved
Andrew_Williams
Here to help
‎May 31 2023 7:39 AM
‎May 31 2023 7:39 AM

SSID Tunneling Supported Security and VLAN Tagging Methods

Hi Team, does anyone have experience with SSID tunneling (MX as a concentrator). Wanted to know if the following security methods are supported:
 
  1. Enterprise Authentication with Radius Server (NPS) doing VLAN association
  2. IPSK without Radius doing VLAN tagging on a group policy?
Essentially looking to extend VLANs and IP addressing from the Head Office to a Branch Site
0 Kudos
1 Accepted Solution
In response to Andrew_Williams
Ryan_Miles
Meraki Employee All-Star Meraki Employee All-Star
Meraki Employee All-Star
‎May 31 2023 9:25 AM
‎May 31 2023 9:25 AM

Andrew I can answer the IPSK question. I just tested and the client does indeed honor the VLAN sent in the Group Policy when using IPSK. I would imagine a VLAN sent via RADIUS would also work fine.

View solution in original post

10 Replies 10
alemabrahao
Kind of a big deal
‎May 31 2023 7:41 AM
‎May 31 2023 7:41 AM

Take a look at the documentation.

 

https://documentation.meraki.com/MR/Client_Addressing_and_Bridging/SSID_Tunneling_and_Layer_3_Roamin...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Andrew_Williams
Here to help
‎May 31 2023 7:57 AM
‎May 31 2023 7:57 AM

Hi @alemabrahao  thanks for your help. 

 

I have reviewed the documentation and I know it infers that Radius authentication works with VPN concentrator mode but I'd like to confirm with the experience of others that there are no issues with honoring the VLAN from the Radius server. 

 

Additionally it doesn't mention IPSK without Radius and VLAN tagging through a group policy so I'm seeking clarification there as well. 

0 Kudos
In response to Andrew_Williams
alemabrahao
Kind of a big deal
‎May 31 2023 8:50 AM
‎May 31 2023 8:50 AM

You can perform a LAB to confirm. 😉

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Andrew_Williams
Here to help
‎May 31 2023 9:21 AM
‎May 31 2023 9:21 AM

If I had that option perhaps I wouldn't have posted on this forum asking for clarification 😉

0 Kudos
In response to Andrew_Williams
Ryan_Miles
Meraki Employee All-Star Meraki Employee All-Star
Meraki Employee All-Star
‎May 31 2023 9:25 AM
‎May 31 2023 9:25 AM

Andrew I can answer the IPSK question. I just tested and the client does indeed honor the VLAN sent in the Group Policy when using IPSK. I would imagine a VLAN sent via RADIUS would also work fine.

In response to Ryan_Miles
Andrew_Williams
Here to help
‎May 31 2023 9:30 AM
‎May 31 2023 9:30 AM

FANTASTIC! Thanks Ryan! You're awesome and I really appreciate you testing it in such a short time.

0 Kudos
In response to Andrew_Williams
Ryan_Miles
Meraki Employee All-Star Meraki Employee All-Star
Meraki Employee All-Star
‎May 31 2023 9:46 AM
‎May 31 2023 9:46 AM

Just tested using JumpCloud RADIUS and the VLAN attribute is also honored/working.

In response to Ryan_Miles
Andrew_Williams
Here to help
‎May 31 2023 9:51 AM
‎May 31 2023 9:51 AM

Thanks again Ryan.

 

Just to confirm, for the Client and VLAN settings on the SSID we're leaving the VLAN tag unselected right? 

 

Andrew_Williams_0-1685551761736.png

 

0 Kudos
In response to Andrew_Williams
Ryan_Miles
Meraki Employee All-Star Meraki Employee All-Star
Meraki Employee All-Star
‎May 31 2023 9:58 AM
‎May 31 2023 9:58 AM

In my lab the MX is concentrator mode. So not a interface dropdown, but rather an open field to type a non default/native VLAN ID. But I don't think the behavior would be any different.

 

In my usual setup I have the tunneled SSID drop clients into VLAN 600 (a DMZ subnet).

 

In my testing this morning I added VLAN 90 to the switchport connected to my MX. Then for the IPSK and RADIUS tests I set VLAN 90 as the VLAN tag (IPSK) /Tunnel-Private-Group-ID attribute (RADIUS). For the RADIUS config you of course need to enable the toggle for RADIUS override for the VLAN tagging to work.

In response to Ryan_Miles
Andrew_Williams
Here to help
‎May 31 2023 10:01 AM
‎May 31 2023 10:01 AM

Perfect. Thanks Ryan you're a godsend!

0 Kudos
Back to the top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.