I have one ssid that need more than one vlan tag.
I tried to configure per-user vlan tagging using splash page authentication by radius server but there is no option for RADIUS override. I choose Security "Open", and splash page "sign-on with my RADIUS server".
But when I changed the security option to "Enterprise with my RADIUS server" and splash page "None (direct access)" it shows an option for the RADIUS override.
Is there any other way to configure per-user vlan tagging using splash page authentication with my RADIUS server?
Splash page uses radius just for authentication, so you are not able to use radius attribute to override vlan. Take a look at this document:
https://documentation.meraki.com/MR/Client_Addressing_and_Bridging/VLAN_Tagging_on_MR_Access_Points
Looking at one of the guides:
https://meraki.cisco.com/lib/pdf/meraki_whitepaper_captive_portal.pdf
"The Meraki cloud platform receives an ACCESS-REJECT or ACCESS-ACCEPT response. The
response may include one or more RADIUS parameters that Meraki supports, e.g., bandwidth
limits and VLAN tags."
It looks like it is supported. Have you just tried sending the VLAN tag from your RADIUS server?
The VLAN tag is possible, but he wants to override It by Radius attribute, and It's possible just on Enterprise authentication.
I don't believe that is correct. The documentation for custom splash pages for RADIUS authentication says you can pass a VLAN tag.
Well, I'm pretty sure that it's not possible to override VLAN for users with radius attributes. Yes, you can specify the VLAN tag on Ssid, but you can't override it.
Reading the guest portal documentation closer, this is the allowed list of RADIUS attributes for a splash portal.
You could drop the user into any VLAN you want using the Filter-Id attribute, and configuring a Meraki group policy to specify the VLAN.
Oh, but this case you will need a group policy, but you can't configure directly to override it on SSID, but to be honest, I think 801.x is better than splash page. 😅
I had tried using the group policy method, but there just have one option which is "assign group policy by device type"
My meraki dashboard does not have the option on the picture above.
Filter-ID is used on the radius policy, you have to set the group policy name on Filter-ID.
looks like splash page with radius does not support that because there is no option to choose for the ssid to use the filter-id attribute.
anyways is there any other ways to tag more than one vlan on one ssid?
Correct, the SSID does not show it as an option. Incorrect - the splash page still responds to that RADIUS attribute.
I've posted the link to the official EXCAP documentation for splash pages saying it is supported, I've posted a screen shot from the documentation showing it is supported - but perhaps the documentation and I are wrong.
Hello,
I am trying to make this working (overriding VLAN by Radius using splash page), but it seems I can not make it working. I tried it both ways, sending the Tunnel-Private-Group-Id and also Filter-ID (and configuring the group policy). Maybe you are aware of any tricks or pitfalls?
A.
To perform per-user VLAN tagging, a RADIUS server must be used with one of the following settings:
MAC-based access control (no encryption)
A per-user VLAN tag can be applied in 3 different ways:
Ok, but the question was not this. The question is, can the VLAN override be done with using splash page + Radius? Several people seem to say that it is possible, plus the captive portal documentation also mention that: https://meraki.cisco.com/lib/pdf/meraki_whitepaper_captive_portal.pdf
For me it does not seem to work, but I might be missing some detail.
With WPA2-Enterprise, I can confirm that it works. With MAC based auth I have not tried. But what I would need to do is none of this, it should be splash page, as we would need to offer several different auth methods and consequently assign the users to the right VLAN.
Additionally, the RADIUS server must be configured to send an attribute along with its accept message, containing the name of a group policy configured in Dashboard (as a String). Commonly, the Filter-Id attribute will be used for this purpose. The screenshot below shows a network policy in Windows NPS, configured to pass the name of a Dashboard group policy ("LANAccess") within the Filter-Id attribute: