Splash Page RADIUS override vlan tag

Adzli
Conversationalist

Splash Page RADIUS override vlan tag

I have one ssid that need more than one vlan tag.

I tried to configure per-user vlan tagging using splash page authentication by radius server but there is no option for RADIUS override. I choose Security "Open", and splash page "sign-on with my RADIUS server".

Screenshot (99).png 

 

But when I changed the security option to "Enterprise with my RADIUS server" and splash page "None (direct access)" it shows an option for the RADIUS override.

Screenshot (100).png

 

Is there any other way to configure per-user vlan tagging using splash page authentication with my RADIUS server?

16 Replies 16
alemabrahao
Kind of a big deal
Kind of a big deal

Splash page uses radius just for authentication, so you are not able to use radius attribute to override vlan. Take a look at this document:

https://documentation.meraki.com/MR/Client_Addressing_and_Bridging/VLAN_Tagging_on_MR_Access_Points

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
PhilipDAth
Kind of a big deal
Kind of a big deal

Looking at one of the guides:

https://meraki.cisco.com/lib/pdf/meraki_whitepaper_captive_portal.pdf 

"The Meraki cloud platform receives an ACCESS-REJECT or ACCESS-ACCEPT response. The
response may include one or more RADIUS parameters that Meraki supports, e.g., bandwidth
limits and VLAN tags."

 

It looks like it is supported.  Have you just tried sending the VLAN tag from your RADIUS server?

 

alemabrahao
Kind of a big deal
Kind of a big deal

The VLAN tag is possible, but he wants to override It by Radius attribute, and It's possible just on Enterprise authentication.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
PhilipDAth
Kind of a big deal
Kind of a big deal

I don't believe that is correct.  The documentation for custom splash pages for RADIUS authentication says you can pass a VLAN tag.

alemabrahao
Kind of a big deal
Kind of a big deal

Well, I'm pretty sure that it's not possible to override VLAN for users with radius attributes. Yes, you can specify the VLAN tag on Ssid, but you can't override it.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
PhilipDAth
Kind of a big deal
Kind of a big deal

Reading the guest portal documentation closer, this is the allowed list of RADIUS attributes for a splash portal.

PhilipDAth_0-1669066619565.png

 

You could drop the user into any VLAN you want using the Filter-Id attribute, and configuring a Meraki group policy to specify the VLAN.

alemabrahao
Kind of a big deal
Kind of a big deal

Oh, but this case you will need a group policy, but you can't configure directly to override it on SSID, but to be honest, I think 801.x is better than splash page. 😅

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Adzli
Conversationalist

I had tried using the group policy method, but there just have one option which is "assign group policy by device type"

 

CB0BED77-73E8-43ED-917A-F44E37FD1F17.png

My meraki dashboard does not have the option on the picture above.

alemabrahao
Kind of a big deal
Kind of a big deal

Filter-ID is used on the radius policy, you have to set the group policy name on Filter-ID.

https://documentation.meraki.com/MR/Group_Policies_and_Block_Lists/Using_RADIUS_Attributes_to_Apply_...

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Adzli
Conversationalist

looks like splash page with radius does not support that because there is no option to choose for the ssid to use the filter-id attribute.

 

anyways is there any other ways to tag more than one vlan on one ssid?

PhilipDAth
Kind of a big deal
Kind of a big deal

Correct, the SSID does not show it as an option.  Incorrect - the splash page still responds to that RADIUS attribute.

 

I've posted the link to the official EXCAP documentation for splash pages saying it is supported, I've posted a screen shot from the documentation showing it is supported - but perhaps the documentation and I are wrong.

grepaly
Here to help

Hello,

 

I am trying to make this working (overriding VLAN by Radius using splash page), but it seems I can not make it working. I tried it both ways, sending the Tunnel-Private-Group-Id and also Filter-ID (and configuring the group policy). Maybe you are aware of any tricks or pitfalls?

 

A.

 

alemabrahao
Kind of a big deal
Kind of a big deal

 To perform per-user VLAN tagging, a RADIUS server must be used with one of the following settings:

  • MAC-based access control (no encryption)

  • WPA2-Enterprise with 802.1x authentication

A per-user VLAN tag can be applied in 3 different ways:

  1. The RADIUS server returns a Tunnel-Private-Group-ID attribute in the Access-Accept message, which specifies the VLAN ID that should be applied to the wireless user. This VLAN ID could override whatever may be configured in the MCC (which could be no VLAN tagging, or a per-SSID VLAN tag). To have this VLAN ID take effect, “RADIUS override” must be set to “RADIUS response can override VLAN tag” under the Configure tab on the Access Control page in the “VLAN setup” section.
     
  2. The RADIUS server returns a group policy attribute (e.g., Filter-ID) in the Access-Accept message. The group policy attribute specifies a group policy that should be applied to the wireless user, overriding the policy configured on the SSID itself. If the group policy includes a VLAN ID, the group policy’s VLAN ID will be applied to the user.
     
  3. On the Client Details page, a client can be manually assigned a group policy. If the group policy includes a VLAN ID, the group policy’s VLAN ID will be applied to the user. 
I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
grepaly
Here to help

Ok, but the question was not this. The question is, can the VLAN override be done with using splash page + Radius? Several people seem to say that it is possible, plus the captive portal documentation also mention that: https://meraki.cisco.com/lib/pdf/meraki_whitepaper_captive_portal.pdf

For me it does not seem to work, but I might be missing some detail.

With WPA2-Enterprise, I can confirm that it works. With MAC based auth I have not tried. But what I would need to do is none of this, it should be splash page, as we would need to offer several different auth methods and consequently assign the users to the right VLAN.

alemabrahao
Kind of a big deal
Kind of a big deal

Additionally, the RADIUS server must be configured to send an attribute along with its accept message, containing the name of a group policy configured in Dashboard (as a String). Commonly, the Filter-Id attribute will be used for this purpose. The screenshot below shows a network policy in Windows NPS, configured to pass the name of a Dashboard group policy ("LANAccess") within the Filter-Id attribute:

 

alemabrahao_0-1711039173332.png

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
alemabrahao
Kind of a big deal
Kind of a big deal

https://documentation.meraki.com/MR/Group_Policies_and_Block_Lists/Using_RADIUS_Attributes_to_Apply_...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels