cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to the Cisco Small Business Community

Have a question? Click on a topic board below to get started in the community.
Get the latest news in this issue of the Cisco Small Business Monthly Newsletter

254
Views
0
Helpful
2
Replies
Highlighted

Implementing WPA - Enterprise across Multips SSID's

Hey guys -

I have a question regarding implementing WPA - Enterprise across multiple SSID's on an MX67w
I'm installing multiple MX67w's in a mid - sized corporation. I want to have 3 SSID's active that all are on a separate VLANs.
The 3 SSID's will be for Execs, General Employees, and guests.

 

I am currently using Jumpcloud as the Radius server that WPA will be authenticating with. The Radius server requires that the IP address match what the external IP address of the device using WPA - Enterprise. So if my External IP on my MX67 is "1.1.1.1" then the Radius server must also be "1.1.1.1".

This doesn't pose a problem for running a single SSID using WPA - Enterprise using that Radius server. However I cannot create a separate Radius server for the second and third SSID, because they would all the same IP and that is not allowed. If I use the same Radius server for all three though all users will be allowed onto the Execs VLAN and vice versa.

 

Is there a way for me to give each individual VLAN its own External IP address, so that I can have multiple Radius servers? Alternatively is there a way to make multiple Radius servers with the same IP? Or is there a better way of doing this?

 

Currently Upper management does not want to use Splash or any kind of Meraki Authentication, and they want all 3 SSID's to use enterprise.

 

Does anybody have a potential solution to this? All suggestions are welcome.
Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Advisor

Re: Implementing WPA - Enterprise across Multips SSID's

Typically you would solve this problem by matching on the Called-Station-Id attribute which identifies which SSID the user is trying to authenticate to.  I did a quick Google and JumpCloud does not appear to support this attribute.

 

If you have a small number of "privileged" users it will be easier to have less SSIDs, and manually assign group policies to move those users in a different vlan, give them different settings or different firewall rules.

 

https://documentation.meraki.com/zGeneral_Administration/Cross-Platform_Content/Creating_and_Applying_Group_Policies 

 

 

Another common way is to use a single SSID and have the RADIUS server return the Filter-Id attribute to automatically apply the group policy to the user.  I did a Google on JumpCloud and it doesn't seem to support this either.

 

https://documentation.meraki.com/MR/Group_Policies_and_Blacklisting/Using_RADIUS_Attributes_to_Apply_Group_Policies 

 

View solution in original post

2 REPLIES 2
Highlighted
Advisor

Re: Implementing WPA - Enterprise across Multips SSID's

Typically you would solve this problem by matching on the Called-Station-Id attribute which identifies which SSID the user is trying to authenticate to.  I did a quick Google and JumpCloud does not appear to support this attribute.

 

If you have a small number of "privileged" users it will be easier to have less SSIDs, and manually assign group policies to move those users in a different vlan, give them different settings or different firewall rules.

 

https://documentation.meraki.com/zGeneral_Administration/Cross-Platform_Content/Creating_and_Applying_Group_Policies 

 

 

Another common way is to use a single SSID and have the RADIUS server return the Filter-Id attribute to automatically apply the group policy to the user.  I did a Google on JumpCloud and it doesn't seem to support this either.

 

https://documentation.meraki.com/MR/Group_Policies_and_Blacklisting/Using_RADIUS_Attributes_to_Apply_Group_Policies 

 

View solution in original post

Highlighted

Re: Implementing WPA - Enterprise across Multips SSID's

The called station ID is how I have implemented this in the past, and should have included that this was not supported by Jumpcloud. The filter ID attribute is limited and requires a decent amount of work inside of a powershell script.

Manually assigning the users will be the route I suspect that we will be going. 

Thanks for the help Philip.