Solved: Mixed Mode SSID

sysint-12 · ‎06-29-2023

I'm trying to reduce the number of SSIDs that our company utilises. We are in the process of deploying a new ISE service, and so we should be able to combine 4 SSIDs into one, by getting ISE to assign the relevant local VLAN that clients should breakout on depending on the domain/user/group that is authenticating.

However, that still leaves a few SSIDs which either authenticate using passphrases or need to breakout centrally at an MX appliance.

Is there anyway to have an SSID which can breakout both locally on a vlan and centrally at an MX depending on either authentication or device type or by TAG associated with the AP the devices are connecting to?

Philip D'Ath · ‎06-29-2023

>Is there anyway to have an SSID which can breakout both locally on a vlan and centrally at an MX

I'm 99% sure the answer is no. The SSID must either be configured for tunnelling to an MX, or not. It is not a setting done per client.

View solution in original post

aleabrahao · ‎06-29-2023

You can create policies in ISE to assign different VLANs. This will depend on how you configure the politics of course. This example is for the Catalyst 9800, but you can reproduce it for Meraki.

This is something that depends more on ISE than Meraki itself.

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/216130-configure-catalyst-9800-wlc-ipsk-with-ci.html

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Philip D'Ath · ‎06-29-2023

>Is there anyway to have an SSID which can breakout both locally on a vlan and centrally at an MX

I'm 99% sure the answer is no. The SSID must either be configured for tunnelling to an MX, or not. It is not a setting done per client.

DainBrammage · ‎06-30-2023

have your RADIUS server return the filter-id attribute which will correspond with the name of a locally defined group policy that is configured on the Meraki network. You can perform wireless VLAN overrides and traffic shaping, L3 and L7 FW rules in this manner, all locally. For your central MX you can define the group policy and manually bind that policy to the interface.

sysint-12 · ‎07-03-2023

Thanks for the information, but just to make sure I'm not misunderstanding, the group policy itself will not determine whether the client should breakout locally from the SSID or tunnel back to the MX, it only sets the local vlan override, L3/7 FW and traffic shaping.

If that is the case, then I guess @Philip D'Ath can change his 99% too 100%. 🙂

Thanks all for the responses. I'd raise a feature request but suspect I'd be the only client requesting it.

Philip D'Ath · ‎07-03-2023

> the group policy itself will not determine whether the client should breakout locally from the SSID or tunnel back to the MX, it only sets the local vlan override, L3/7 FW and traffic shaping.

That is the case.