Per-User VLAN Tagging with Meraki and JumpCloud

Written by Ryan Squires on December 7, 2018

Share This Article

Cisco Meraki wireless access points (WAPs) are some of the most popular in the industry. Resulting from the overall shift from wired to WiFi networks, Meraki is often a IT admin’s first choice when it comes to WAPs. However, solutions from Aruba and Ruckus get a fair amount of consideration as well. As an important aspect of managing and securing WiFi environments, many IT admins are leveraging VLAN tagging with Meraki equipment.

Physical VLAN Networking

IT networks have historically been connected via wires and switches/routers. Part of the security model with wired networks was greater physical control. IT admins could manage Virtual Local Area Network (VLAN) access by assigning designated ports on a switch to a specific group of users. Accounting would get assigned to a grouping of ports while Marketing was on another. This helped to segment traffic and increase security. The security of the network these physical devices emit has been radically improved with software. But, with organizations shifting to WiFi, the security model must also adjust as well.

Security Improvements via RADIUS

One way that IT admins have begun to step up the security posture on their WiFi networks is through RADIUS authentication. RADIUS offers an excellent increase in security for WiFi networks because it enables users of a given network to log in with their own unique set of credentials. For example, think about a large college campus where students each access the network using a university-assigned username (often a student number) and a password created by the student. By eliminating the shared SSID and passphrase commonly used for WiFi access, network security is increased because only those registered with the university can access the student network. It’s the same scenario for instructors. Yet, some IT admins are seeking to increase their network even further, and VLAN tagging – or network segmentation –  is often considered.

VLAN Tagging, Groups, and Additional Equipment

As stated above, the idea is to create separate VLANs for different groups of users on the network so that they can only communicate and access the resources that have been explicitly granted to them. These VLANs are tagged with unique identifiers which are subsequently used to place the user and device on the appropriate VLAN or network segment. While that all sounds pretty complex, VLAN tagging with Meraki isn’t all that difficult. But, it does require a number of additional components beyond the Meraki WAPs.

In order to properly implement dynamic, per user VLAN assignment, IT admins need to connect the WAPs with a RADIUS server which is backended with an identity provider (IdP). When a user is authenticated all the way through to the identity provider (often a Microsoft® Active Directory® or OpenLDAP™  implementation) the RADIUS server attaches what are called RADIUS reply attributes which are used to specify which VLAN a given user belongs to. The WAP then takes that information and places the user and device on the proper VLAN.  

VLAN Tagging with Meraki from the Cloud

The process of implementing VLAN tagging can be significant if the IT organization needs to build, configure, and maintain each component described above. While that may seem like a massive undertaking, the good news is that there is a cloud identity management platform that does the bulk of the heavy lifting for you around implementing VLAN tagging, a RADIUS server, and of course, the identity provider. All you need to do is point your WAPs to the cloud RADIUS endpoint and decide which users and groups are on which VLAN.

Aside from those networking security measures, this cloud identity management platform can connect you to a wide array of additional IT resources including systems (Windows®, Mac®, Linux®), web apps (Slack, GitHub™, Salesforce®), cloud infrastructure (AWS®, GCE, Azure®), file servers on-prem and in the cloud (NAS/Samba devices, Box™, DropBox™), and much more all with a single set of credentials by utilizing True Single Sign-On™. It’s called JumpCloud® Directory-as-a-Service®, and it’s a modern reimagination of Active Directory and LDAP for the modern world.

Learn More About JumpCloud

Ready to embrace per-user VLAN tagging with Meraki and JumpCloud? Sign up today for a free JumpCloud Directory-as-a-Service account. As a free account holder you can manage up to 10 users for free, forever. No credit card required. If you need to manage more than 10 users, visit our pricing page. Once you’ve signed up for free account or otherwise, check out our Knowledge Base and YouTube channel for more helpful information to help you get the most of Directory-as-a-Service.

Ryan Squires

Ryan Squires is a content writer at JumpCloud, a company dedicated to connecting users to the IT resources they need securely and efficiently. He has a degree in Journalism and Media Communication from Colorado State University.

Continue Learning with our Newsletter