View Categories

Client Group Isolation on Cisco Meraki with iPSK and UDN Tags

When integrating EntryPoint iPSK with Cisco Meraki infrastructure, additional RADIUS attributes must be sent to achieve client isolation between device groups.

Unlike classic Cisco WLC, which uses dynamic iPSK tags, Meraki uses UDN (User-Defined Network) tags to isolate clients at the SSID level.

📚 How it Works #

  • When a device connects using iPSK, EntryPoint returns the group-specific PSK.

  • To enable group isolation, EntryPoint must also return a Cisco AV-Pair attribute containing the UDN tag.

  • The Meraki cloud controller reads this value and dynamically groups devices.

Devices with the same UDN tag can communicate with each other.
Devices with different UDN tags are isolated, even if they are connected to the same SSID.

⚠️ Note! If no UDN tag is used all devices can communicate with each other despite different PSK.

Required RADIUS Attribute Format #

The RADIUS attribute must be built using a Cisco AV-Pair format:

Cisco:Cisco-AVPair = "udn:private-group-id=<ID>"

Where <ID> is a unique numeric tag for each device group.

Practical Example #

Suppose you have two critical infrastructure groups:

 

Group Name PSK UDN Tag Value
Door Locks doorlocks-psk udn:private-group-id=10
Fire Alarms firealarms-psk udn:private-group-id=11

EntryPoint should, upon successful device lookup, return:

  • Group-specific PSK (for Meraki to validate the PSK).

  • Cisco AV-Pair attribute:

    • Door Locks GroupCisco:Cisco-AVPair = "udn:private-group-id=10"

    • Fire Alarms GroupCisco:Cisco-AVPair = "udn:private-group-id=11"

This ensures:

  • Door lock devices can communicate with each other securely.

  • Fire alarm devices can communicate internally.

  • Devices from Door Locks and Fire Alarms cannot communicate across groups, despite being on the same wireless SSID.

Important Notes #

  • If no UDN tag is returned by RADIUS, Meraki places the client into a default group without isolation.

  • The UDN feature requires Meraki firmware supporting Identity PSK with RADIUS (available in enterprise Meraki networks).

  • EntryPoint allows dynamic configuration of UDN tags based on device group membership.

Netgraph
Powered by  GDPR Cookie Compliance
Cookie Overview

What are cookies?

Cookies are small text files consisting of letters and numbers. These are sent from Netgraph Sverige AB or our partners' web servers and stored on your device (for example, computer or mobile). They can be stored in two different ways.

Session cookies are temporary cookies that disappear when you close your browser or app.
Persistent cookies are cookies that remain on your computer until you delete them or until they expire.

Different types of cookies

Both our website and others, such as Facebook or Google, may place cookies on your computer when you visit this website. Cookies from the website you are visiting are called first-party cookies and cookies from other websites are called third-party cookies.

Other files, similar to cookies, are web beacons and similar technologies. Web beacons are small transparent graphic images that may be contained in emails we send to you.

Why do we use cookies?

We use cookies to make your visit to our website as enjoyable as possible, and to improve it even more. However, we do not store IP numbers or similar personal data about you.

Functionality cookies improve your experience

We store cookies about the pages you have visited to make your experience on our website as smooth as possible. For example, we can prevent you from seeing a pop-up window more than once.

Analytics cookies help us to make our website better

We use cookies to collect aggregate analytical information about how you use the site, such as statistics on our most popular pages. With the information we get, we can improve our web and our offers.

Deleting cookies

Your browser or device usually allows you to set which cookies can be stored on your computer. For example, you can choose to block all cookies, only accept cookies from the website you are visiting or delete all cookies when you close your browser. Look under Settings.

Questions?

Do you have any questions about how we use cookies? You can always reach Netgraph Sverige AB's data protection officer at info@netgraph.se

This information was updated on August 26, 2024.