More and more clients are providing MORE access to guests, than corporate users, Meraki works very well when you assume the old way (Open for office users, restricted for guests) which means that you need to do a few things different from the manual or normal.   The major benefit here is the flexibility of group policies when you use this method.

The original title of this could be a few things (Link Bait!)

Meraki Guest Access W/Group Policies

Meraki Guest Access In Bridged Mode W/Client Exclusion…

Meraki Guest Access where guest access is less restrictive than default

More Flexible Meraki Guest Access

Issues Discussion

One of the best things about Meraki is that Guest Wireless is only a few clicks away, typically you use NAT Mode to provide client exclusion,  firewall the users from accessing corporate resources, shape the traffic, and then perform content filtering at the edge.

The only downfall is – this assumes that your default filter on your firewall is what you want for guests.   Unless clients authenticate with active directory, there is no way to assign a policy to them as they are all NAT’d with some random IP address by the access point.   Even using the built in Meraki RADIUS and creating a “guest” account does not allow you to assign a group policy.

This is where the Meraki Integration falls over a bit,  the extended content filtering capabilities of the security appliance, live on the security appliance.  In order for me to filter content (web) I need to get the traffic over there first, in a way that can be identified, and then I can put a content filter on it.

It would be easier if I could in some way just tell that SSID — all users on this SSID, have this group policy, but I cannot do that, those policies are a security appliance feature – not wireless.

There are 3 ways we can content (web) filter any traffic on Meraki

1) Default Policy – If it does not have a policy, we use this.

2) AD Authentication – We can assign AD Groups a Meraki Group Policy.

3) Segregated VLAN – If you create a VLAN in the security gateway, you can assign a group policy to anyone on it (I wish I could do that, to an SSID!)

The issue is that the very easy to manage NAT MODE which also provides client exclusion – only goes over the default VLAN of the AP – you cannot select which VLAN the SSID is on, if it is in NAT mode.     Which means that I’m stuck with default policy for unauthenticated users.     This also means no client exclusion.

Solution

Here is a way to run guest wireless on a segregated SSID and segregated VLAN

1) Go into group policies and build your guest policy.  This is the real benefit of this method, you can build a policy for guest networks now, along with schedules, shaping and content filtering and it is all visible in this one screen.  You can even create flexible filtering based on schedules which you cannot do the other way.

2)  Create your new VLAN in the security appliance,  put it in some kind of futz IP scope that will not interfere or be used anywhere else.  Assign your guest policy to this VLAN

3) Create the new SSID, and assign it to that new VLAN.  You can use any Association or Splash page option that you want at this step.   Make sure you use Bridge mode and Tag to VLAN 99

4)  Now create a firewall rule by clicking above on the firewall and traffic shaping link

5)  You want to DENY all the RFC 1918 (Private) addresses,  but ALLOW your default gateway address, and also click “Deny” for the “Local Lan” option.  This will prevent users from talking to each other (even on the same AP).  If you want some extra shaping, do it below, on guest I like to limit their media streaming to 512K, it provides enough for Youtube SD, but does not allow 1080P streaming.

6)  TEST!

You are done,  test it out and make sure it works, ensure you cannot reach any resources you want restricted and enjoy your new “Group Policy” controls for guests