Same SSID on multiple sites with NPS

Jérôme
Here to help

Same SSID on multiple sites with NPS

Hi, 

We have configured an SSID with enterprise security with Microsoft NPS radius and override VLAN TAG. It's our radius server which, depending on the PC group, assigns the Tunnel-PVT-GROUP-ID.

Example: my SSID is called WIFI_TEST

  • if my pc belongs to the AD WIFI-SERVICE1 group, the radius gives it VLAN 75
  • if my pc belongs to the AD WIFI-SERVICE2 group, the radius gives it VLAN 76
  • if my pc belongs to the AD WIFI-SERVICE3 group, the radius gives it VLAN 77

It works fine on a single site.

 

We have other remote sites in MPLS. How can we duplicate this configuration on our other sites knowing that we cannot route the same VLAN IDs? Is it possible to mix in the same configuration of SSID Radius Override and VLAN tagging for remote sites? Can we put several Tunnel-PVT-GROUP-ID on the radius server. How did you do ?

 

Regards...

4 Replies 4
alemabrahao
Kind of a big deal
Kind of a big deal

You can use Called-Station-ID:

 

It Contains (1) the Meraki access point's BSSID (all caps, octets separated by hyphens) and (2) the SSID on which the wireless device is connecting. These 2 fields are separated by a colon. Example: "AA-BB-CC-DD-EE-FF:SSID_NAME".

 

https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_RADIUS_Authentication_...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
GreenMan
Meraki Employee
Meraki Employee

Why can't you re-use the same VLAN IDs?    Assuming you are not interconnecting your sites at Layer-2, it's very common to use exactly the same VLAN ID for the same service / user group at different sites in a WAN.

 

Support for the RADIUS server returning a VLAN name (rather than an ID) is a part of future planning, but I haven't seen a date for that, as yet.

Jérôme
Here to help

Hi,

Thank you for yours answers.

@alemabrahao I had not thought of the Called-Station-ID, it's un good idea. We have more than 100APs on our remote sites, it will take a long time to configure.

@GreenMan I think it's not possible with MPLS. Our ISP doesn't know how to do

JacekJ
Building a reputation

You would need to set up different clients (APs) in the NPS, so you can easily differentiate between them in the NPS.

Lets say you call the clients SITE1-WIFI and SITE2-WIFI with the IP ranges of the respective AP's.

Then in the NPS you can set up policies and use "Client Friendly Name" with a value of "SITE1*" - this will affect only requests coming from APs that are in SITE1 and so on.

I hopefully understood your question correctly 😉

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels