Meraki

Community

Setting up WiFi access for staff - restricting access to members of an AD security group - how to?

HML
Conversationalist
‎Nov 15 2017 3:38 AM
‎Nov 15 2017 3:38 AM

Setting up WiFi access for staff - restricting access to members of an AD security group - how to?

Hello all,

 

We are using the Cisco Meraki Wireless access points across our offices to provide a staff WiFi. We are now planning to implement a guest WiFi network (using Meraki authentication with short term passwords etc.) but when proposing this I have been asked to see if we can integrate WiFi access on the staff network with Active Directory, specifically only allowing staff who are a member of a particular security group.

 

I have created a test security group in Active Directory, I have set our Meraki security appliance to connect to Active Directory and it finds the security group, however, I am stuck at creating a 'Meraki' Group policy which simply allows access to the newly created 'Staff' WiFi SSID.

 

Has anybody else set up something similar? If so, how did you overcome these hurdles?

 

I'm also a bit apprehensive about turning on Active Directory authentication on our main security device - if I do this, will it still work as normal? We have a lot of satellite homeworkers who hang off our MX100 as their hub.

 

Any help or suggestions appreciated!

 

Thanks.

0 Kudos
5 Replies 5
Mr_IT_Guy
A model citizen
‎Nov 15 2017 6:30 AM
‎Nov 15 2017 6:30 AM

We've used AD authentication and it works fine. Keep in mind, however, that this will be hitting your AD server hard with WMI traffic so if you have any sensors, it may set them off.  

Found this helpful? Give me some Kudos! (click on the little up-arrow below)
In response to Mr_IT_Guy
HML
Conversationalist
‎Nov 16 2017 12:16 AM
‎Nov 16 2017 12:16 AM

Hi,

 

Yeah, we have tested the AD authentication and that works just fine, however, I am looking to lock it down to grant WiFi access to members of a particular security group in AD. I have found that I can link AD security groups to Meraki groups, however, I cannot see an option there to block access using it (unless it's something as simple as switching off scheduling)?

 

Did you achieve something like the above or are you just allowing all AD users access to the WiFi?

 

Thanks,

 

Andy

0 Kudos
NickCalcutti
Getting noticed
‎Nov 16 2017 7:25 AM
‎Nov 16 2017 7:25 AM

i dont have a MX device used like you do to replicate your issue but i have accomplished the same thing with Radius Authentication using 802.1x for wifi,

 

i have our guest SSID open and blocked connection to local lan and have the wifi use its own DHCP to handle that

 

For the Staff wifi i have the 802.1x authentication that looks ad specific AD security groups to authenticate.with the Radius server which is a windows 2012 R2 running the NPS role and IIS role to push the certificate. Also i have a group policy for windows 7 devices for the wifi that automatically inputs the wifi settings. Windows 10 you don't need to do this it just works but windows 7 group policy is highly recommended.

https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_RADIUS_Authentication_...

 

i think this will solve your issue even though it has a bit more steps

 

BrothersTM
Getting noticed
‎Nov 17 2017 8:04 AM
‎Nov 17 2017 8:04 AM

Meraki's scoping AD article is where you need to look.  I tested this initially and can confirm it works well.  I chose to go a different route in order to limit the number of SSID's that were being broadcasted.

 

https://documentation.meraki.com/MR/Splash_Page/Scoping_Active_Directory_per_SSID

In response to BrothersTM
HML
Conversationalist
‎Nov 17 2017 8:12 AM
‎Nov 17 2017 8:12 AM

Thanks for your reply, and everyone else's replies, very helpful!

 

Thanks,

 

Andy

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.