Solved: Implementing WPA - Enterprise across Multips SSID's

Foster_Nethercott · ‎03-26-2020

Hey guys -

I have a question regarding implementing WPA - Enterprise across multiple SSID's on an MX67w
I'm installing multiple MX67w's in a mid - sized corporation. I want to have 3 SSID's active that all are on a separate VLANs.
The 3 SSID's will be for Execs, General Employees, and guests.

I am currently using Jumpcloud as the Radius server that WPA will be authenticating with. The Radius server requires that the IP address match what the external IP address of the device using WPA - Enterprise. So if my External IP on my MX67 is "1.1.1.1" then the Radius server must also be "1.1.1.1".

This doesn't pose a problem for running a single SSID using WPA - Enterprise using that Radius server. However I cannot create a separate Radius server for the second and third SSID, because they would all the same IP and that is not allowed. If I use the same Radius server for all three though all users will be allowed onto the Execs VLAN and vice versa.

Is there a way for me to give each individual VLAN its own External IP address, so that I can have multiple Radius servers? Alternatively is there a way to make multiple Radius servers with the same IP? Or is there a better way of doing this?

Currently Upper management does not want to use Splash or any kind of Meraki Authentication, and they want all 3 SSID's to use enterprise.

Does anybody have a potential solution to this? All suggestions are welcome.
Thanks.

Philip D'Ath · ‎03-26-2020

Typically you would solve this problem by matching on the Called-Station-Id attribute which identifies which SSID the user is trying to authenticate to. I did a quick Google and JumpCloud does not appear to support this attribute.

If you have a small number of "privileged" users it will be easier to have less SSIDs, and manually assign group policies to move those users in a different vlan, give them different settings or different firewall rules.

https://documentation.meraki.com/zGeneral_Administration/Cross-Platform_Content/Creating_and_Applying_Group_Policies

Another common way is to use a single SSID and have the RADIUS server return the Filter-Id attribute to automatically apply the group policy to the user. I did a Google on JumpCloud and it doesn't seem to support this either.

https://documentation.meraki.com/MR/Group_Policies_and_Blacklisting/Using_RADIUS_Attributes_to_Apply_Group_Policies

View solution in original post

Philip D'Ath · ‎03-26-2020

Typically you would solve this problem by matching on the Called-Station-Id attribute which identifies which SSID the user is trying to authenticate to. I did a quick Google and JumpCloud does not appear to support this attribute.

If you have a small number of "privileged" users it will be easier to have less SSIDs, and manually assign group policies to move those users in a different vlan, give them different settings or different firewall rules.

https://documentation.meraki.com/zGeneral_Administration/Cross-Platform_Content/Creating_and_Applying_Group_Policies

Another common way is to use a single SSID and have the RADIUS server return the Filter-Id attribute to automatically apply the group policy to the user. I did a Google on JumpCloud and it doesn't seem to support this either.

https://documentation.meraki.com/MR/Group_Policies_and_Blacklisting/Using_RADIUS_Attributes_to_Apply_Group_Policies

Foster_Nethercott · ‎03-26-2020

The called station ID is how I have implemented this in the past, and should have included that this was not supported by Jumpcloud. The filter ID attribute is limited and requires a decent amount of work inside of a powershell script.

Manually assigning the users will be the route I suspect that we will be going.

Thanks for the help Philip.