JumpCloud Office Hours: Join our experts every Friday to talk shop. Register today

Per-User VLAN Tagging with Meraki and JumpCloud



Cisco Meraki wireless access points (WAPs) are some of the most popular in the industry. Resulting from the overall shift from wired to WiFi networks, Meraki is often a IT admin’s first choice when it comes to WAPs. However, solutions from Aruba and Ruckus get a fair amount of consideration as well. As an important aspect of managing and securing WiFi environments, many IT admins are leveraging VLAN tagging with Meraki equipment.

Physical VLAN Networking

IT networks have historically been connected via wires and switches/routers. Part of the security model with wired networks was greater physical control. IT admins could manage Virtual Local Area Network (VLAN) access by assigning designated ports on a switch to a specific group of users. Accounting would get assigned to a grouping of ports while Marketing was on another. This helped to segment traffic and increase security. The security of the network these physical devices emit has been radically improved with software. But, with organizations shifting to WiFi, the security model must also adjust as well.

Security Improvements via RADIUS

One way that IT admins have begun to step up the security posture on their WiFi networks is through RADIUS authentication. RADIUS offers an excellent increase in security for WiFi networks because it enables users of a given network to log in with their own unique set of credentials. For example, think about a large college campus where students each access the network using a university-assigned username (often a student number) and a password created by the student. By eliminating the shared SSID and passphrase commonly used for WiFi access, network security is increased because only those registered with the university can access the student network. It’s the same scenario for instructors. Yet, some IT admins are seeking to increase their network even further, and VLAN tagging – or network segmentation –  is often considered.

VLAN Tagging, Groups, and Additional Equipment

As stated above, the idea is to create separate VLANs for different groups of users on the network so that they can only communicate and access the resources that have been explicitly granted to them. These VLANs are tagged with unique identifiers which are subsequently used to place the user and device on the appropriate VLAN or network segment. While that all sounds pretty complex, VLAN tagging with Meraki isn’t all that difficult. But, it does require a number of additional components beyond the Meraki WAPs.

In order to properly implement dynamic, per user VLAN assignment, IT admins need to connect the WAPs with a RADIUS server which is backended with an identity provider (IdP). When a user is authenticated all the way through to the identity provider (often a Microsoft® Active Directory® or OpenLDAP™  implementation) the RADIUS server attaches what are called RADIUS reply attributes which are used to specify which VLAN a given user belongs to. The WAP then takes that information and places the user and device on the proper VLAN.  

VLAN Tagging with Meraki from the Cloud

The process of implementing VLAN tagging can be significant if the IT organization needs to build, configure, and maintain each component described above. While that may seem like a massive undertaking, the good news is that there is a cloud identity management platform that does the bulk of the heavy lifting for you around implementing VLAN tagging, a RADIUS server, and of course, the identity provider. All you need to do is point your WAPs to the cloud RADIUS endpoint and decide which users and groups are on which VLAN.

Aside from those networking security measures, this cloud identity management platform can connect you to a wide array of additional IT resources including systems (Windows®, Mac®, Linux®), web apps (Slack, GitHub™, Salesforce®), cloud infrastructure (AWS®, GCE, Azure®), file servers on-prem and in the cloud (NAS/Samba devices, Box™, DropBox™), and much more all with a single set of credentials by utilizing True Single Sign-On™. It’s called JumpCloud® Directory-as-a-Service®, and it’s a modern reimagination of Active Directory and LDAP for the modern world.

Learn More About JumpCloud

Ready to embrace per-user VLAN tagging with Meraki and JumpCloud? Sign up today for a free JumpCloud Directory-as-a-Service account. As a free account holder you can manage up to 10 users for free, forever. No credit card required. If you need to manage more than 10 users, visit our pricing page. Once you’ve signed up for free account or otherwise, check out our Knowledge Base and YouTube channel for more helpful information to help you get the most of Directory-as-a-Service.


Recent Posts
Learn how to prevent phishing attempts, protect Microsoft 365 identities, and make password changes easier for users. Try JumpCloud free.

Blog

Prevent Phishing of Microsoft 365 Identities

Learn how to prevent phishing attempts, protect Microsoft 365 identities, and make password changes easier for users. Try JumpCloud free.

WebAuthn provides secure access to web applications through the help of physical security key MFA. Learn more about implementing it here.

Blog

What is WebAuthn?

WebAuthn provides secure access to web applications through the help of physical security key MFA. Learn more about implementing it here.

If you do not have a directory service but would like more control over your network including WiFi/VPN, DaaS is an excellent cloud FreeRADIUS solution.

Blog

Backend FreeRADIUS with Directory-as-a-Service

If you do not have a directory service but would like more control over your network including WiFi/VPN, DaaS is an excellent cloud FreeRADIUS solution.