Meraki

Community

Splash Page RADIUS override vlan tag

Adzli
Conversationalist
‎Nov 20 2022 7:40 PM
‎Nov 20 2022 7:40 PM

Splash Page RADIUS override vlan tag

I have one ssid that need more than one vlan tag.

I tried to configure per-user vlan tagging using splash page authentication by radius server but there is no option for RADIUS override. I choose Security "Open", and splash page "sign-on with my RADIUS server".

Screenshot (99).png 

 

But when I changed the security option to "Enterprise with my RADIUS server" and splash page "None (direct access)" it shows an option for the RADIUS override.

Screenshot (100).png

 

Is there any other way to configure per-user vlan tagging using splash page authentication with my RADIUS server?

Labels:
0 Kudos
16 Replies 16
alemabrahao
Kind of a big deal
‎Nov 21 2022 1:34 AM
‎Nov 21 2022 1:34 AM

Splash page uses radius just for authentication, so you are not able to use radius attribute to override vlan. Take a look at this document:

https://documentation.meraki.com/MR/Client_Addressing_and_Bridging/VLAN_Tagging_on_MR_Access_Points

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Nov 21 2022 11:47 AM
‎Nov 21 2022 11:47 AM

Looking at one of the guides:

https://meraki.cisco.com/lib/pdf/meraki_whitepaper_captive_portal.pdf 

"The Meraki cloud platform receives an ACCESS-REJECT or ACCESS-ACCEPT response. The
response may include one or more RADIUS parameters that Meraki supports, e.g., bandwidth
limits and VLAN tags."

 

It looks like it is supported.  Have you just tried sending the VLAN tag from your RADIUS server?

 

0 Kudos
In response to PhilipDAth
alemabrahao
Kind of a big deal
‎Nov 21 2022 11:53 AM
‎Nov 21 2022 11:53 AM

The VLAN tag is possible, but he wants to override It by Radius attribute, and It's possible just on Enterprise authentication.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Nov 21 2022 12:07 PM
‎Nov 21 2022 12:07 PM

I don't believe that is correct.  The documentation for custom splash pages for RADIUS authentication says you can pass a VLAN tag.

0 Kudos
In response to PhilipDAth
alemabrahao
Kind of a big deal
‎Nov 21 2022 1:28 PM
‎Nov 21 2022 1:28 PM

Well, I'm pretty sure that it's not possible to override VLAN for users with radius attributes. Yes, you can specify the VLAN tag on Ssid, but you can't override it.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Nov 21 2022 1:37 PM
‎Nov 21 2022 1:37 PM

Reading the guest portal documentation closer, this is the allowed list of RADIUS attributes for a splash portal.

PhilipDAth_0-1669066619565.png

 

You could drop the user into any VLAN you want using the Filter-Id attribute, and configuring a Meraki group policy to specify the VLAN.

0 Kudos
In response to PhilipDAth
alemabrahao
Kind of a big deal
‎Nov 21 2022 1:45 PM
‎Nov 21 2022 1:45 PM

Oh, but this case you will need a group policy, but you can't configure directly to override it on SSID, but to be honest, I think 801.x is better than splash page. 😅

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Adzli
Conversationalist
‎Nov 21 2022 3:04 PM
‎Nov 21 2022 3:04 PM

I had tried using the group policy method, but there just have one option which is "assign group policy by device type"

 

CB0BED77-73E8-43ED-917A-F44E37FD1F17.png

My meraki dashboard does not have the option on the picture above.

0 Kudos
In response to Adzli
alemabrahao
Kind of a big deal
‎Nov 21 2022 3:44 PM
‎Nov 21 2022 3:44 PM

Filter-ID is used on the radius policy, you have to set the group policy name on Filter-ID.

https://documentation.meraki.com/MR/Group_Policies_and_Block_Lists/Using_RADIUS_Attributes_to_Apply_...

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Adzli
Conversationalist
‎Nov 21 2022 4:04 PM
‎Nov 21 2022 4:04 PM

looks like splash page with radius does not support that because there is no option to choose for the ssid to use the filter-id attribute.

 

anyways is there any other ways to tag more than one vlan on one ssid?

0 Kudos
In response to Adzli
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Nov 21 2022 4:22 PM
‎Nov 21 2022 4:22 PM

Correct, the SSID does not show it as an option.  Incorrect - the splash page still responds to that RADIUS attribute.

 

I've posted the link to the official EXCAP documentation for splash pages saying it is supported, I've posted a screen shot from the documentation showing it is supported - but perhaps the documentation and I are wrong.

0 Kudos
In response to PhilipDAth
grepaly
Here to help
‎Mar 21 2024 9:21 AM
‎Mar 21 2024 9:21 AM

Hello,

 

I am trying to make this working (overriding VLAN by Radius using splash page), but it seems I can not make it working. I tried it both ways, sending the Tunnel-Private-Group-Id and also Filter-ID (and configuring the group policy). Maybe you are aware of any tricks or pitfalls?

 

A.

 

0 Kudos
In response to grepaly
alemabrahao
Kind of a big deal
‎Mar 21 2024 9:27 AM
‎Mar 21 2024 9:27 AM

 To perform per-user VLAN tagging, a RADIUS server must be used with one of the following settings:

  • MAC-based access control (no encryption)

  • WPA2-Enterprise with 802.1x authentication

A per-user VLAN tag can be applied in 3 different ways:

  1. The RADIUS server returns a Tunnel-Private-Group-ID attribute in the Access-Accept message, which specifies the VLAN ID that should be applied to the wireless user. This VLAN ID could override whatever may be configured in the MCC (which could be no VLAN tagging, or a per-SSID VLAN tag). To have this VLAN ID take effect, “RADIUS override” must be set to “RADIUS response can override VLAN tag” under the Configure tab on the Access Control page in the “VLAN setup” section.
     
  2. The RADIUS server returns a group policy attribute (e.g., Filter-ID) in the Access-Accept message. The group policy attribute specifies a group policy that should be applied to the wireless user, overriding the policy configured on the SSID itself. If the group policy includes a VLAN ID, the group policy’s VLAN ID will be applied to the user.
     
  3. On the Client Details page, a client can be manually assigned a group policy. If the group policy includes a VLAN ID, the group policy’s VLAN ID will be applied to the user. 
I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
grepaly
Here to help
‎Mar 21 2024 9:34 AM
‎Mar 21 2024 9:34 AM

Ok, but the question was not this. The question is, can the VLAN override be done with using splash page + Radius? Several people seem to say that it is possible, plus the captive portal documentation also mention that: https://meraki.cisco.com/lib/pdf/meraki_whitepaper_captive_portal.pdf

For me it does not seem to work, but I might be missing some detail.

With WPA2-Enterprise, I can confirm that it works. With MAC based auth I have not tried. But what I would need to do is none of this, it should be splash page, as we would need to offer several different auth methods and consequently assign the users to the right VLAN.

0 Kudos
In response to grepaly
alemabrahao
Kind of a big deal
‎Mar 21 2024 9:39 AM
‎Mar 21 2024 9:39 AM

Additionally, the RADIUS server must be configured to send an attribute along with its accept message, containing the name of a group policy configured in Dashboard (as a String). Commonly, the Filter-Id attribute will be used for this purpose. The screenshot below shows a network policy in Windows NPS, configured to pass the name of a Dashboard group policy ("LANAccess") within the Filter-Id attribute:

 

alemabrahao_0-1711039173332.png

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
alemabrahao
Kind of a big deal
‎Mar 21 2024 9:40 AM
‎Mar 21 2024 9:40 AM

https://documentation.meraki.com/MR/Group_Policies_and_Block_Lists/Using_RADIUS_Attributes_to_Apply_...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Back to the top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.