I know you mentioned you don't want to use RADIUS, and maybe that's because you don't want to stand this up yourself. There are some very good cloud-based identity management solutions out there that you can use which would give you all kinds of additional features.

JumpCloud is a good one that comes to mind. It's fairly light-weight and I've integrated it well with MR's.

Anyways, just another suggestion. 😉

@DonAnnett 

---

@DonAnnett wrote:

I know you mentioned you don't want to use RADIUS, and maybe that's because you don't want to stand this up yourself. There are some very good cloud-based identity management solutions out there that you can use which would give you all kinds of additional features.

 

JumpCloud is a good one that comes to mind. It's fairly light-weight and I've integrated it well with MR's.

 

Anyways, just another suggestion. 😉

---

You hit the nail on the head that I don't want to stand it up with my VM world (just don't trust their device next to anything production).  JumpCloud looks interesting.  So how does a device get to JumpCloud prior to even connecting to the wifi? I realize this is a strange question... but I'm just trying to understand the flow device > MR's > SSID > MS's > MX > Group Policies > JumpCloud RADIUS (yes/no)... authenticate!  In my mind, there is too much of the Meraki equipment that might potentially block the authenticating along the way?

It's going to be difficult to prevent employees from hopping onto your guest SSID. The best you can do is make the guest SSID experience so limited that staff wouldn't want to use it.

As far as JumpCloud (or even the Meraki built-in Authentication) they use 802.1x, so a user is immediately prompted for username and password when selecting the SSID. In the case of JumpCloud, as long as the AP's can reach JumpCloud's public IP then no problem. I have it running well behind MX, MS, MR. 

As others have stated, Meraki Auth will work to manage WiFi access. What I like about JumpCloud is that you can use it to manage cloud apps. I even set it up to integrate via SAML to manage Meraki dashboard access. It get's powerful when you start layering access control. When an employee leaves, you wipe them out of JC and all access is revoked from one place. As mentioned there are other IAM solutions in this space. JC is the only one I've spent time playing with.

@DonAnnett DonAnnett - is creating a user (Thinking Meraki Authentication) Limit them to specific SSID's.  Meaning, if they "know about" other hidden SSID's that are set up similar... will it authenticate them?  Is a "user account" allow them to any SSID's in the Org (and yes I understand they'd possibly jump to the Guest Wifi even if it was less desirable).

All of that is configured on a per-ssid basis. So apply Meraki Auth to CorpSSID, and do click-through or whatever on your guest.

I use JumpCloud at my company and a couple of clients.  

It is basically a Cloud base Active Directory, and the RADIUS is a breeze to setup.

I am a JumpCloud reseller, so I am a bit biased, but if you have any questions about it, let me know.

@DHAnderson I looked at JC last night and was very intrigued.  AND I see that there is Non-profit pricing. 2019 is a big IT budget year... I just don't think I can add yet more things to it that was unexpected.

I realize that I'm asking for help... my current solution is "free". However, I read a bit about other things JC offers like O365 integration which we are stepping into.  Possibly there is a handshake concept that could justify the means.  Might need to talk with you personally 😉

@LegoGeek you can pm me at dave.anderson@essential-consulting.com

@kYutobi 

---

@kYutobi wrote:

Meraki authentication with username and password as well. You can do it on a one user login limit as well. That way sharing logins won't be an issue.

---

So if a user does have more than one device you can increase the limit it would allow 2+ concurrent devices based on the limit?  We have housing scenarios as well and so we allow them to use AppleTV, some gaming consoles, etc.  This would work with that as well?

@LegoGeek You can limit to one or multiple. Test out an SSID with this.

---

@kYutobi wrote:

@LegoGeek You can limit to one or multiple.

---

Appealing idea... I like the "Allow user to create accounts" and "Administrator must authorize access"

Two questions:

1. It would appear that this method would not block them from other SSID's (eg. Guest Wifi) broadcasting in the same areas?

2. Say there is "miss behaving activity" according to our policies on Content Filtering... through this method, would we be able to narrow it down to the User, MAC/IP address, or both?  We currently have a syslog server and the MX is exporting the info... just curious if this method would help track those issues if they came up?

@PhilipDAth As mentioned I was not wanting to introduce SM.  The cost alone would ski rocket and staff wouldn't want the intrusiveness of SM on their personal devices... it is not a BYOD type of situation.  More an elevated guest wifi.

You are correct though... a very locked down method. Thanks!

@LegoGeek Have you tried playing with this for authentication? Maybe it can somewhat control it.

@kYutobi I wonder what they mean by "and" = valid sponsor "and" own email address?  For that matter what does "valid sponsor" mean? As an Admin I still what the ability to deny certain users in the process even if they request it.