Hi Team,

A customer is looking to build a Public WiFi infrastructure to aggregate services across multiple MNOs and also other customers (such retailers, etc) on a SINGLE UNIVERSAL SSID. This new solution will offer the following services:

• 3G Offload on behalf of multiple MNOs
• Retail Customers
• Public WiFi

The most challenging piece of this design is the requirement to broadcast ONE SINGLE SSID for All services except 3G offload EAP-SIM clients.

In other words:

• Each MNO will have a unique "hidden" HS2.0 enabled SSID for 3G offload EAP-SIM clients.
• Then, there will be ONE universal SSID for all other services with a front facing captive portal. (this will serve 3G offload NON EAP-SIM, Retail Customers, Public WiFi)

The hidden HS2.0 enabled SSID is quite easy as it will be using EoGRE to the MNO's iWAG and that's a standard configuration done on a per SSID bases. Now the challenging part is the other UNIVERSAL SSID.

On that UNIVERSAL SSID, My customer wants to display a landing page with options for multiple MNOs [Please click if you are a Vodafone customer, T-Systems customer, AT&T Customer, Verizon customer, etc].... OR [Please click if you are Starbucks customer, Fridays customer, etc]..... OR [Please click if you would like a WiFi pass for 1hour, 2hour, etc].

Essentially, this UNIVERSAL SSID must be serving all the following:

• MNO NON EAP-SIM clients (T-systems, AT&T, Verizon, Vodafone, ....etc)
• Retail Customers (Starbucks, Fridays, .....etc)
• Public WiFi walk-in customers via voucher purchase

MNO traffic needs to be authenticated against the MNO Radius/AAA and also breaks-out through the MNO network for LI (Lawful Inspection) and accounting purposes. I proposed Cisco ISE integration with Meraki for the following features:

1. CWA
2. CoA
3. Radius Proxy
4. Radius Accounting

Users should be authenticating as follows:

1. 3G Offload NON EAP-SIM clients -> Mobile number (ISE should identify which Radius to relay based on user mobile number)
2. Retail Customers -> Email (ISE should identify which Radius to relay based on user identity)
   
3. Walk-in Customers -> Email & Voucher (Single Radius for all users)

Now my question is, how can a single UNIVERSAL SSID do the following:

• Authenticate against multiple Radius Servers (ISE will proxy Radius requests/responses to separate servers based on user number/identity)
• AP route traffic to multiple gateways based on a domain name (via a return attribute assigning the VLAN directly on the AP based on user number/identity and ISE logic)
• Bill users on their respective billing platforms (ISE will also proxy accounting messages from AP to separate accounting servers based on user user/identity)

Thanks for your help,
Sameh