Hello everyone. I am an IT Engineer who works for a school district that just put in Meraki Switching and is currently putting in the Wireless APs and MX Firewalls. I am trying to create a Splash Page Sign-On Wireless SSID that authenticates against my Active Directory Infrastructure. This SSID is a guest style network that is for the Staff to connect their personal devices. We do not want the students being able to connect to this. Students do have AD accounts. Setting up the SSID with the AD auth was easy but it’s the scoping I am having trouble with getting to work. For reference, I am following the official Meraki Documentation here (scoping part at the bottom). The AP’s we have are MR46’s.
Now after reviewing that documentation, I have denied the service account being used on this SSID read access to the OU’s where my student accounts are located. The OU structure looks like below:
Building OU -> Users OU -> Students OU (This is where I denied the service account access) -> Grad Year OU (this is where the actual accounts reside)
I made sure the security permissions apply to the Students OU object and all descendent objects. I have been able to confirm this account has no read access to the Students OU or anything under it by using the Sysinternals tool Active Directory Explorer. However, every time I test this, I am still able to connect as a student. I can connect as a staff account as well, but I don’t want the student accounts to be able to connect to this SSID. I have been scouring Google, Reddit, Meraki Community, etc. and I can’t figure out what I am doing wrong here. Based on everything I read, it should work the way I have it configured. Is there anyone who has set this up successfully who can offer some advice?
I ran out of time on Friday, so I couldn’t submit a ticket with Meraki. I am going to try to do that this week. I am also looking at trying to setup RADIUS via the Splash Page via this Meraki documentation, but it requires Firewall rules to allow the Cloud Controller to reach my RADIUS server via the Internet. I’d prefer not to poke holes in my Firewall if I don’t have to. On our current Wi-Fi setup, we do WPA2 Enterprise RADIUS with NPS Policies, but I like the splash page option more because it is more user friendly. It is device agnostic and doesn’t matter which device you connect from. This SSID has all kinds of devices connecting to it and they are all personal devices so MDM is not an option here.
I appreciate your time and help. Thank you.