Hi Blake,
Our company uses Google identities for certain tasks and we have an organization managed in Google with our domain.
Using Google for guest access is a specific use case where we are not giving access to generic Google accounts but Google domain accounts under our domain.
What is the missing part is to have a chance to filter which user can be successfully authenticated rather than everyone under our Google domain.
Using RADIUS for this could be an option, yes but
if we consider Google authentication then we should
1) do MAC address bypass authentication and redirect to Cisco ISE
2) integrate ISE to Google via SAML and retrieve user attributes from there
3) authenticate with a guest portal in ISE
if we consider other type of identities we would just simply lose the integration we have with Google identities and that would leave us to have maybe AD or LDAP but is the same story about point #1 of the previous consideration
another thing to consider is that MAB does not provide encryption, and only other available option for meraki to ISE guest portal is 802.1x authentication but this is traditionally something that cannot be easily managed by end users so we should eventually consider an open SSID for onboardin and another SSID for production (so 1 SSID more...) and this complicates the solution (after all is a guest access...right?)
One option may be to see if Google expose identities via cloud LDAP as I am reading here :
https://cloud.google.com/blog/products/identity-security/cloud-identity-now-provides-access-to-tradi...
in that case...would it be doable to restrict authentication by searching into a specific OU via LDAP search from Google identities?
Let's imagine I would do that for AD via LDAP...can I restrict to specific groups?
If that is doable then I can see if Google identities via LDAP expose a similar structure of Google groups or attributes and restrict access in a more traditional way and keep it cloud to cloud
