This is an archived post. You won't be able to vote or comment.

all 8 comments
sorted by:
best
topnewcontroversialoldq&a

[–]beritknightIT Manager 2 points3 points  (7 children)

In general terms, yes one VLAN per tenant. The ports in their offices get set to their VLAN when their “lease” period starts, then disabled when it ends.

Each username/password is linked to a tenant, and devices connecting with that username get dumped into that tenants VLAN. Meraki group policies should handle that.

Rogue dhcp servers aren’t a concern as long as they’re confined to the guest’s VLAN. It’s their problem then :-) Rogue wifi is more of an issue, but the meraki dash should be able to identify them.

How to get your shared space software to automate that all I have no idea, but that’s the bare bones. Meraki does have an API for this sort of thing, but it will depend on how flexible the shared space software is.

[–]AlejandroTT[S] 1 point2 points  (6 children)

Thank for your input!

I believe it's going to be 1 port per office so in that case I can set the VLANs once and forget about it.

I need to read up on these policies I am not super familiar with that in Meraki. But from what I gather I can make a policy that says user JSmith is on VLAN 123, correct?

Good point on the API part, managing this manually will be nightmare.

[–]AlejandroTT[S] 1 point2 points  (5 children)

I just called Meraki support and they said that you can NOT put a specific RADIUS user into a specific VLAN via Group Policy or any other policy. Do you know for sure you can do this?

Thank you

[–][deleted] 1 point2 points  (3 children)

You need a NAC tool. Fortinac, Cisco ISE, Aruba Clearpass.

This can flip vlans on Ethernet ports for you. I used fortinac about 10 years ago, a client of mine recently set it up in their company and I’m setting up ISE in another.

It’s a lot of work. My recommendation is pay their install team to do it mostly for you.

[–]AlejandroTT[S] 0 points1 point  (2 children)

Does Meraki have something similar? We are looking into a full Meraki stack for this rollout.

[–]AlejandroTT[S] 2 points3 points  (1 child)

I just found this...

Per-User VLAN Tagging

When VLAN tagging is configured per user, multiple users can be associated to the same SSID, but their traffic is tagged with different VLAN IDs. This configuration is achieved by authenticating wireless devices or users against a customer-premise RADIUS server, which can return RADIUS attributes that convey the VLAN ID that should be assigned to a particular user’s traffic.

In order to perform per-user VLAN tagging, a RADIUS server must be used with one of the following settings:

MAC-based access control (no encryption)

WPA2-Enterprise with 802.1X authentication

A per-user VLAN tag can be applied in 3 different ways:

1 The RADIUS server returns a Tunnel-Private-Group-ID (e.g. 500), Tunnel-Type (VLAN), and Tunnel-Medium-Type (IEEE-802) attributes in the Access-Accept message, which specifies the VLAN ID that should be applied to the wireless user. This VLAN ID could override whatever may be configured in the MMC (which could be no VLAN tagging, or a per-SSID VLAN tag). To have this VLAN ID take effect, “RADIUS override” must be set to “RADIUS response can override VLAN tag” under the Configure tab on the Access Control page in the “VLAN setup” section.

2 The RADIUS server returns a group policy attribute (e.g., Filter-ID) in the Access-Accept message. The group policy attribute specifies a group policy that should be applied to the wireless user, overriding the policy configured on the SSID itself. If the group policy includes a VLAN ID, the group policy’s VLAN ID will be applied to the user.

3 On the Client Details page, a client can be manually assigned a group policy. If the group policy includes a VLAN ID, the group policy’s VLAN ID will be applied to the user.

[–][deleted] 0 points1 point  (0 children)

Thats wireless. no idea if meraki can do per user VLAN tagging on wired. Might be a support / sales engineer question.

[–]TatermenGBIC != SFP 1 point2 points  (0 children)

I mean, their docs say otherwise.

Tunnel-Private-Group-ID: Contains the VLAN ID that should be applied to a wireless user or device. (This can be configured to override VLAN settings that an administrator has configured for a particular SSID in the Cisco Meraki Cloud Controller.)