VLAN Tagging Per Active Directory Group With Meraki Access Point

This will be a quick guide on configuring your Meraki Wireless Access Point to tag users in specific VLANs according to what AD group they are in.

In this example I will assume the following:

  1. You have a department called Sales (VLAN 10)
  2. You have a department called Technical (VLAN 20)
  3. These VLANs are already set-up
  4. You are using Windows Server RADIUS/NPS (Network Policy and Access Services) – if you have not configured a RADIUS server for the Meraki AP, watch this blog for an update in the near future as I will post a how-to for this)

Now, there are two ways of doing this, both very similar and involve the RADIUS server sending the AD group/VLAN ID back to the access point for tagging. I will go through one of the options below but just to briefly explain what happens at a high level:

  • Sales user connects to SSID CompanyABC
  • User enters AD credentials
  • AP passes these credentials to RADIUS server
  • RADIUS server says ‘yep these credentials are good. Oh and by the way, this guy is in the Sales group’
  • The AP knows that the Sales group is to be tagged in VLAN 10

Getting Started

Okay so log on to your RADIUS server and locate the Network Policies section as seen below

NPS Server Role Manager
NPS Server Role Manager

Create two policies for your Technical and Sales roles – most of the default settings are fine but as I mentioned at the beginning of this post, I will do a separate guide on setting up RADIUS on Windows Server in the near future.

Now in the Conditions tab of both these roles, you want to add the appropriate AD group – in the example below I have added the technical group to the technical policy.

Network Policy - Conditions Tab
Network Policy – Conditions Tab

Now the important bit which tells the AP what VLAN to tag you in – this is done in the Settings tab under RADIUS Attributes – Standard

If there isn’t already a ‘Filter-Id’ in there by default with a value of NULL, add it with the word ‘Technical’ (the name doesn’t matter as long as it matches the group in the Meraki Cloud Controller)

NPS - Network Policy Settings - RADIUS Attributes
NPS – Network Policy Settings – RADIUS Attributes

Now we’re pretty much done on the RADIUS server side – there’s only one more change to make and that will be on the Meraki Cloud Controller – we need to create group policies which will match the Filter-Id to a group policy and this group policy will define which VLAN to tag the traffic in.

In my example below, Technical is tagged in VLAN 20 and Sales in VLAN 10.

Cisco Meraki Cloud Controller - Group Policies
Cisco Meraki Cloud Controller – Group Policies

That’s it! We’ve covered the main configuration changes to enable your Meraki AP to tag AD groups in specific VLANs. There may be some other minor config changes required in the Cloud Controller and your RADIUS server but we’ve gone over the main ones here.

If you have any questions, feel free to ask in the comments section below and I will try and answer them.