Crafting advanced SSID policies
Most of the features described thus far are found in Pro. Where Enterprise Cloud Controller starts to shine is advanced policy creation, monitoring, and analysis. For small offices that need only WEP or WPA2-PSK security and WMM priority, Pro is plenty. Large organizations with diverse populations and applications may need Enterprise Cloud Controller to strengthen security, leverage infrastructure, deliver analytical insight, and enable diagnostics.
For example, Cloud Controller can apply layer 3/4 stateful packet inspection rules to each SSID, but Enterprise Cloud Controller can also apply layer 7 rules selected from a growing list of finger printed applications, including HTTP-encapsulated video/music, VoIP, email, software updates, P2P, or specified Web servers. Each app category can be further filtered; for example, to differentiate between Gmail and POP/IMAP. Bandwidth limits and DSCP / VLAN tags can also be applied to classify and shape traffic per-app category for each SSID (below).
When more granular filtering or shaping is needed, Group policies can override SSID policies. For example, we let our admin Group bypass SSID bandwidth limits, app block rules, and captive portal pages applied to other users.
This begs the question: How does Enterprise Cloud Controller determine which users belong to each Group? The answer: Group policies can only be applied to users granted access by MAC ACL or by 802.1X authentication against a customer’s RADIUS server configured to return a group attribute.
In short, admins can use Enterprise Cloud Controller to assert fine-grained layer 2 – 7 controls integrating with customer network elements like VLAN trunks and RADIUS servers. For simplicity, Meraki offers alternatives such as hosted RADIUS, a customizable captive portal with “guest ambassador” visitor management, and a portal-based connect-time check to ensure each client is running anti-virus. This is all included in Enterprise Cloud Controller at no extra cost.
Advanced options such as these have helped Meraki’s Enterprise Cloud Controller move up the food chain to address larger business needs. As Wi-Fi grows more pervasive, even mid-sized businesses can benefit from many of these options, especially app-layer controls. But it can be tough to keep simple tasks simple while supporting complex policies. In our opinion, Meraki’s dashboard is still easy to navigate, but beginning to exhibit feature-creep clutter.
Keeping an eye on your WLAN
Configuring a network is only part of the battle; on-going maintenance and trouble-shooting are where admins often spend the bulk of their time. To reduce total cost of ownership (TCO), Meraki has been steadily expanding Enterprise Cloud Controller to deliver deeper and broader insight and tools.
Starting from any network (site) map, admins can drill down into clicked APs or Clients, or select one from searchable lists. Using the APs panel, admins can eyeball current channels, usage, client counts, or export a snapshot to XML. Using the Clients panel, admins can see each client’s state, AP, and SSID, MAC/IP, device type, label, usage, and (802.1X EAP phase 1) identity. But there’s more lurking under these covers:
- As a cloud service, Meraki does not have immediate access to AP-recorded stats. But admins can click on “Live Updates” to refresh displayed data once per minute.
- Drilling into a single AP brings up a set of “Live Tools,” accompanied by continually-updated near-real-time display of AP LAN port traffic, RF channel utilization, and more.
- Hovering over each Client highlights that device’s activity on an SSID traffic usage graph, plotted over the past two hours, day, week, or month. (Custom range would be nice!)
- Scroll through pie charts to the right of that graph gives usage per Application, Port, HTTP server, or customizable IP/URL bucket. Just click on any chart to view usage detail.
These panels all display data for a selected network and one or all SSIDs. During our test drive, they helped us spot unexpected applications, bandwidth hogs, and an occasional surprise visitor on a guest or open test SSID. However, jumping from graphs into traffic logs was abrupt. There, we had to sift through DNS queries to understand application activity. Organizations with many networks might wish for roll-up data or an easy way to compare network usage.
Debugging RF issues is the only time we really yearned for more detail. Searchable/filterable AP logs enumerate authentication and association events, but do not supply PHY/MAC details like Information Elements or RSSI that might indicate why an association could not be formed. Instead, we had to break out a WLAN analyzer to trouble-shoot low-level RF issues.
Fortunately, Meraki has been expanding in this area, adding the afore-mentioned AP Live Tools. Here, admins can instruct each AP to relay real-time RF and throughput metrics, visualize spectral graphs, and ping or traceroute troubled clients. When all else fails, admins can use this panel to reboot an AP, but we saw no way to forcibly disconnect one cranky client.
Understanding your airspace
One of our favorite Enterprise Cloud Controller panels is the Summary Report, which can be emailed on-demand or scheduled (HTML or text format). This report delivers analytics for a selected network, including top APs, Clients, Apps, and Operating Systems (by % client and % usage), along with per-SSID usage. Here again, a custom date range would be a nice addition, but what we liked the most was using this report to spot areas needing investigation, while making it easy to drill directly into affected AP or Client details.