I’m standing up a new office, and we’ve decided to go with Meraki all the way from the ISP handoff to the APs - so MX security appliance (MX100), MS switches (MS225s), and MR APs (MR42). I want to use a few VLANS - 4 internal/company based and 2 external based (Guest and an employee Wi-Fi). In past offices, we’ve used MR42 and setup a wireless BSSID 802.1x domain network for domain computers to automatically connect when enter the office/network by way of RADIUS authentication. We used GPO to configure the domain computers and provide the certificate for the RADIUS authentication. Since we only had MR42 and no other Meraki devices, we could use the MR42 Wi-Fi for this setup. Now with the network completely Meraki, I seem to be having issues. I want to continue the 802.1x BSSID domain wireless setup. Now I want to utilize RADIUS and/or LDAP for authenticating users in order to automatically link them to the appropriate VLAN using their security group membership in our AD. I also want to be able to use this combination to dynamically assign the appropriate VLAN for the switch port if they connect using Ethernet. This way, I don’t necessarily need to configure each port based on who is using it. We are moving to a “Hotelling” office so not everyone will be assigned a specific desk and will be changing day to day based on who reserves which desk, etc. So, each desk will be setup with a Ethernet docking station connected to a VoIP phone - so a data passthrough to the computer. Of course we thought this would all be simple by having an all Meraki Network. So, I’ve been trying to utilize Policy Objects, Group Policies, AD Group mapping, RADIUS on APs and through switches and MX device. First question since I’m having RADIUS failure issues with Wi-Fi, should I still use the MR42s as the RADIUS Authenticators and assigning VLAN tagging? Or, should I not do any VLAN tagging (other than the Meraki Guest wifi) or RADIUS at the MR42 and instead attempt to use the MS225 switches and/or MX100 for the Authentication and VLAN assignment? From some of the tracing I’ve been able to do for the MR42 RADIUS failures is that there are multiple RADIUS authentication requests being sent. Oh, we also utilize Azure Conditional Access for multi factor, and I’ve not been able to exclude the office from the MFA verification, and even though I excluded myself from MFA, I still get prompted for verification each time I join an AP and when I move around and join another AP and back again. I have more questions, but this is already too long. What is the best combination of Meraki features to accomplish my goals - RADIUS, VLAN based on user/computer login, computer auto-join BSSID wifi, and utilizing AD security groups for VLAN assignment, etc?
... View more