Meraki

Community

WiFi through Google's credentials - How to filter it?

Roberto2
Just browsing
‎Aug 26 2019 2:38 PM
‎Aug 26 2019 2:38 PM

WiFi through Google's credentials - How to filter it?

Here at the school I work for we still use WPA2 as authentication for Meraki wifi. We have 2 available SSIDs (Staff and Students).

A while ago the students figured out the password for the Staff SSID, so it won't matter if I change it , they 'll find out eventually again.

Meraki allows me to enable 3rd party credentials, so I want to use our Google Suite for that. The problem is that the students also have Google's credentials, so how can I filter the access to only allow staff to use the Staff network?

Thanks!

0 Kudos
6 Replies 6
BrechtSchamp
Kind of a big deal
‎Aug 27 2019 2:16 AM
‎Aug 27 2019 2:16 AM

I'm not sure you can limit that. However, since you need to contact helpdesk to have the feature enabled, maybe you can ask them that too?

 

https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_WPA2-Enterprise_with_G...

 

I think you may have to resort to a 3d party RADIUS server that integrates with the Google IAM platform(s).

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Aug 27 2019 1:01 PM
‎Aug 27 2019 1:01 PM

Do you use an MDM or any system that can deploy certificates?  If so, I would look into using certificates for the staff devices.

 

In the Meraki world you have Systems Manager which can do this.  You can do things like say only devices with Systems Manager installed can connect (so you would only put it on staff devices):

https://documentation.meraki.com/MR/Splash_Page/Systems_Manager_Sentry_Enrollment

 

You can also take it a step further (which I would) where you can get Systems Manager to deploy certificates onto the devices, and then using tags you can say only devices with a tag of "staff" are allowed on the staff SSID.  If you used it with studeny devices you can apply the same logic to only allow students to access the "student" ssid.  You can also kick a student off (say for a breach of policy) by simply removing the tag from their device.

Because this uses certificates there is no working around this.

https://documentation.meraki.com/SM/Other_Topics/Certificate-based_WiFi_authentication_with_Systems_...

 

 

For school assets you would normally make the device "fully" managed.  For Apple this is called "Supervised" mode, and for Android it is called "Device Owner" mode.

https://documentation.meraki.com/SM/Profiles_and_Settings/iOS_Supervision

https://documentation.meraki.com/SM/Device_Enrollment/Android_Enrollment

 

Note that Cisco Meraki Systems Manager also integrates with Apple School Manager (in case you use that).

https://documentation.meraki.com/SM/Profiles_and_Settings/Configuring_Apple_School_Manager_for_Share...

 

 

I don't personally like using it, by Systems Manager also has a BYOD mode you could use with student owned devices.  Note that BYOD mode can also be used to do lots of other things, but in this context I am only referring to it for configuring secure WiFi with certificates.

https://documentation.meraki.com/SM/Device_Enrollment/Containerization_with_Systems_Manager

In response to PhilipDAth
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Aug 27 2019 1:02 PM
‎Aug 27 2019 1:02 PM

ps. Schools get such a huge discount from Meraki - it isn't very expensive (in my opinion).

0 Kudos
In response to PhilipDAth
Roberto2
Just browsing
‎Aug 27 2019 1:14 PM
‎Aug 27 2019 1:14 PM

Thanks you so much guys for your time!

 

Unfortunately, for budget restrictions, we don't have an MDM yet...

 

I think the best alternative would have to be deploying a free RADIUS server here on premises...

0 Kudos
In response to Roberto2
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Aug 27 2019 2:05 PM
‎Aug 27 2019 2:05 PM

What about using a single SSID (or converting the staff SSID to work the same as the student SSID) and then applying a group policy to staff devices to move them into the staff VLAN (also called per-device VLAN tagging)?

https://documentation.meraki.com/MR/Group_Policies_and_Blacklisting/Creating_and_Applying_Group_Poli...

 

Failing that, if you have active directory you could use Microsoft NPS.

 

FreeRADIUS is an excellent product.  It will almost certainly be able to back into Google Suite to validate usernames/password BUT  knowing only the username/password how will you be able to identify which are teachers?  I suspect you would have to create a manual group in FreeRADIUS to do this.

 

0 Kudos
Bossnine
Building a reputation
‎Aug 29 2019 11:17 AM
‎Aug 29 2019 11:17 AM

I use the Google authentication method for our BYOD devices and for some reason lately some devices (phones mainly since that is what usually is on it) just randomly disconnect.  Not to mention each time a user enters a new building (which is a separate 'network') they have to re-authenticate.  I'm not sure if that's a problem on my end or Meraki, but it would be more frustrating if that were the authentication method for essential devices.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.