Wifi solution? - staff personal devices

LegoGeek
Getting noticed

Wifi solution? - staff personal devices

Hey all,

 

Looking for a solution for managing staff personal device on wifi/SSID(s) and restricting them on all the other SSID's in the system... (ie. directing them to specific SSID's once authenticated).  We've learned over the years that no one will keep a password private... it gets handed out like candy so we changed over to this several years ago:

 

"Different policies by connection and SSID

https://documentation.meraki.com/MX/Group_Policies_and_Blacklisting/Blocking_and_Whitelisting_Client...

 

It's becoming cumbersome.  I maintain an Excel Doc and manually add clients (via their MAC address) into SSID's and block them from others.  The reason it is cumbersome is that we have new hires and seasonal staff coming and going all year long and repeats. There is also one more layer of complexity - we use the "Different policies by connection and SSID" to for restricting a handful of devices on timed schedules (a group within a group).

 

I'm looking for something else.  In essence, the SSID will be an elevated Guest Wifi idea without the daily "facebook check-ins" AND needs to restrict them from going back to Guest Wifi (and other known SSID's broadcasting). Once again, a solution with a password "only" will not work.

 

I'm guessing that a long time ago I latched on to the idea of "Different policies by connection and SSID" as the perfect solution and am not realizing there is an easier way to do the same thing another way?

 

Things we'd like to avoid: password, Radius Server, SM

Things we don't have: Radius Server

Things we do have: Meraki MX84; MS425, 320's 220's; MR's (obviously)

18 Replies 18
kYutobi
Kind of a big deal

What about you do a click through splash page? Put splash frequency on 2-4hrs (or whatever) it and block certain apps doing layer 7 firewall rules? 

Enthusiast
kYutobi
Kind of a big deal

Meraki authentication with username and password as well. You can do it on a one user login limit as well. That way sharing logins won't be an issue.

Enthusiast
DonAnnett
Getting noticed

I know you mentioned you don't want to use RADIUS, and maybe that's because you don't want to stand this up yourself. There are some very good cloud-based identity management solutions out there that you can use which would give you all kinds of additional features.

 

JumpCloud is a good one that comes to mind. It's fairly light-weight and I've integrated it well with MR's.

 

Anyways, just another suggestion. 😉

LegoGeek
Getting noticed

@DonAnnett 


@DonAnnett wrote:

I know you mentioned you don't want to use RADIUS, and maybe that's because you don't want to stand this up yourself. There are some very good cloud-based identity management solutions out there that you can use which would give you all kinds of additional features.

 

JumpCloud is a good one that comes to mind. It's fairly light-weight and I've integrated it well with MR's.

 

Anyways, just another suggestion. 😉


You hit the nail on the head that I don't want to stand it up with my VM world (just don't trust their device next to anything production).  JumpCloud looks interesting.  So how does a device get to JumpCloud prior to even connecting to the wifi? I realize this is a strange question... but I'm just trying to understand the flow device > MR's > SSID > MS's > MX > Group Policies > JumpCloud RADIUS (yes/no)... authenticate!  In my mind, there is too much of the Meraki equipment that might potentially block the authenticating along the way?

DonAnnett
Getting noticed

It's going to be difficult to prevent employees from hopping onto your guest SSID. The best you can do is make the guest SSID experience so limited that staff wouldn't want to use it.

 

As far as JumpCloud (or even the Meraki built-in Authentication) they use 802.1x, so a user is immediately prompted for username and password when selecting the SSID. In the case of JumpCloud, as long as the AP's can reach JumpCloud's public IP then no problem. I have it running well behind MX, MS, MR. 

 

As others have stated, Meraki Auth will work to manage WiFi access. What I like about JumpCloud is that you can use it to manage cloud apps. I even set it up to integrate via SAML to manage Meraki dashboard access. It get's powerful when you start layering access control. When an employee leaves, you wipe them out of JC and all access is revoked from one place. As mentioned there are other IAM solutions in this space. JC is the only one I've spent time playing with.

LegoGeek
Getting noticed

@DonAnnett DonAnnett - is creating a user (Thinking Meraki Authentication) Limit them to specific SSID's.  Meaning, if they "know about" other hidden SSID's that are set up similar... will it authenticate them?  Is a "user account" allow them to any SSID's in the Org (and yes I understand they'd possibly jump to the Guest Wifi even if it was less desirable).

DonAnnett
Getting noticed

All of that is configured on a per-ssid basis. So apply Meraki Auth to CorpSSID, and do click-through or whatever on your guest.

DHAnderson
Head in the Cloud

I use JumpCloud at my company and a couple of clients.  

 

It is basically a Cloud base Active Directory, and the RADIUS is a breeze to setup.

 

I am a JumpCloud reseller, so I am a bit biased, but if you have any questions about it, let me know.

Dave Anderson
LegoGeek
Getting noticed

@DHAnderson I looked at JC last night and was very intrigued.  AND I see that there is Non-profit pricing. 2019 is a big IT budget year... I just don't think I can add yet more things to it that was unexpected.

 

I realize that I'm asking for help... my current solution is "free". However, I read a bit about other things JC offers like O365 integration which we are stepping into.  Possibly there is a handshake concept that could justify the means.  Might need to talk with you personally 😉

DHAnderson
Head in the Cloud

@LegoGeek you can pm me at dave.anderson@essential-consulting.com

Dave Anderson
LegoGeek
Getting noticed

@kYutobi 


@kYutobi wrote:

Meraki authentication with username and password as well. You can do it on a one user login limit as well. That way sharing logins won't be an issue.


So if a user does have more than one device you can increase the limit it would allow 2+ concurrent devices based on the limit?  We have housing scenarios as well and so we allow them to use AppleTV, some gaming consoles, etc.  This would work with that as well?

kYutobi
Kind of a big deal

@LegoGeek You can limit to one or multiple. Test out an SSID with this.

 

Capture.PNG

Enthusiast
LegoGeek
Getting noticed


@kYutobi wrote:

@LegoGeek You can limit to one or multiple.


Appealing idea... I like the "Allow user to create accounts" and "Administrator must authorize access"

 

Two questions:

 

1. It would appear that this method would not block them from other SSID's (eg. Guest Wifi) broadcasting in the same areas?

 

2. Say there is "miss behaving activity" according to our policies on Content Filtering... through this method, would we be able to narrow it down to the User, MAC/IP address, or both?  We currently have a syslog server and the MX is exporting the info... just curious if this method would help track those issues if they came up?

PhilipDAth
Kind of a big deal
Kind of a big deal

Just thinking about the guest access.

 

This is something I have done for a company before.  Enable the pre-paid billing mode for the SSID (make sure you enable "fast prepaid login page" otherwise they'll get prompted for payment details).  This lets you print out batches of PIN numbers.  You maybe print a batch of 100 at a time and give them to reception.  When someone wants guest WiFi get them to get a PIN code card from reception.  Make the card good for say 24 hours.

 

If you want, you could get reception to keep a register of users they give cards to.

 

This would make it very hard for staff to use the guest WiFi while still be relatively simple for guests.

https://documentation.meraki.com/MR/Splash_Page/Configuring_a_Prepaid_Card_Billing_SSID

PhilipDAth
Kind of a big deal
Kind of a big deal

Ignoring the guest WiFi bit for the moment; you could also consider using Systems Manager in BYOD mode for staff mobile phones, and configuring this to deploy a certificate to the phone and using the certificate to authenticate the WiFi.  Very locked down.

 

You [could] first use an enrollment SSID to onoard their device.

https://documentation.meraki.com/MR/Splash_Page/Systems_Manager_Sentry_Enrollment

 

Here are the instructions to configure an SSID for certificate based authentication (for certificates deployed by Systems Manager).

https://documentation.meraki.com/MR/Encryption_and_Authentication/Certificate-based_WiFi_authenticat...

LegoGeek
Getting noticed

@PhilipDAth As mentioned I was not wanting to introduce SM.  The cost alone would ski rocket and staff wouldn't want the intrusiveness of SM on their personal devices... it is not a BYOD type of situation.  More an elevated guest wifi.

 

You are correct though... a very locked down method. Thanks!

kYutobi
Kind of a big deal

@LegoGeek Have you tried playing with this for authentication? Maybe it can somewhat control it.

 

Capture.PNG

 

 

Enthusiast
LegoGeek
Getting noticed

@kYutobi I wonder what they mean by "and" = valid sponsor "and" own email address?  For that matter what does "valid sponsor" mean? As an Admin I still what the ability to deny certain users in the process even if they request it.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels