Aruba ClearPass integration

EClap5
Getting noticed

Aruba ClearPass integration

Today, our Meraki wireless network is air-gapped from our production network. Associates HATE having to VPN back into the network if they're on wifi just to get access to network resources.  We just finished integration ClearPass as our NAC solution on the wired side and now have begun to integrate CP on the wireless side.  One of our network architects wants to look at using another vendor because of their documented and easier CP integration.  He also thinks Meraki isn't that robust on an enterprise level.  We have a ton of Meraki equipment at over 12 sites around the country and the thought of swapping everything out makes me cringe.  Smiley Mad

 

Has anyone tied ClearPass into Meraki and was it harder or easier than you originally thought?

 

I am hoping that once we get a working model in a test environment, our architect will be surprised that Meraki is more robust than he thought and he will not want to jump ship for another vendor.

4 REPLIES 4
rpn
Here to help

I don't know your environment, but it sounds like the proof of Meraki suitability is the fact that you already have it running successfully in 12 locations.  If you're an engineer and an architect suggests replacing it, you might challenge them for proof of an operational improvement.  And when they roll up a projected cost, don't let them skip over the non-product costs (like de-install/install of APs).

 

Unfortunately, ClearPass does win out over ISE sometimes.  When it does, I've always found that it interoperates very well with traditional Cisco products.  I would expect the same with Meraki.  In general, the 802.1x standard is consistently implemented these days.  One feature that's been a sticking point in the past (maybe still in some cases) is Change of Authorization (CoA).  That's how a security policy solution (NAC) tells a switch your access rights have changed.  I've never heard of it implemented on a WLAN, so it shouldn't be a concern for your stated use case.  While I have not specifically seen CP and Meraki interoperate, I would expect it to go just fine for the standard RADIUS based auth most folks are after on a WLAN.

 

Stand up a new SSID with 802.1x auth pointed at the CP host and see for yourself!

MerakiDave
Meraki Employee
Meraki Employee

@rpn is spot on, and you should engage with your local Meraki team (or Cisco Partner) to lead a meeting to make sure your network eng/arch team understands the full value proposition of the Meraki solution, maybe as opposed to a checkbox by checkbox comparison of dozens of features you aren't using in an attempt to say Meraki isn't "robust enterprise class" which is untrue.  You may find someone's alternate agenda surface.  Read through this blog post before attending that meeting: https://meraki.cisco.com/blog/2017/08/infographic-reducing-total-cost-of-ownership/

 

<soapbox> Many Meraki competitors (both before and after acquisition by Cisco) have long stated that Meraki is meant for SMB, and they still say that.  Not even considering all the Meraki deployments in dozens of global fortune 500 companies and thousands of enterprises, Meraki's explosive growth is proof enough.  57% YoY (accelerating) growth of a billion dollar business is unheard of these days in the IT world, and that's exactly what Meraki did just in the last fiscal year.  </soapbox> 

 

Meraki certainly does integrate with CP as well as multiple other 3rd party identity sources, pretty much anything that has a standards-based RADIUS interface.  Also, the CoA on MR Wireless @rpn mentioned is fully supported (in case you do need it but it wasn't mentioned) and you'll find more info here: https://documentation.meraki.com/MR/Encryption_and_Authentication/Change_of_Authorization_with_RADIU... and here are some related docs: https://documentation.meraki.com/MR/Encryption_and_Authentication/External_Identity_Sources#RADIUS and https://documentation.meraki.com/MR/Encryption_and_Authentication/Wireless_Encryption_and_Authentica...

 

When I started with my company, I was very green in terms of networking.  The first few weeks I just read KB articles and poked around at everything in Dashboard.  It's really the only thing I know when it comes to networking as I haven't dealt that much (yet) with command line stuff.  I've pretty much been the sole person to manage the wifi at all of our locations and the ease of Meraki has allowed that. 

 

That being said, I am fighting to keep Meraki in our work place.  Our test environment for the DOT1X is almost up and running so we'll see how our architect feels after a POC!

Hello, I know it's been years but were you able to make CP and Meraki work in your test environment? I'm looking on a solution that will let students self-register their alexa's, nintendo switches, etc.. and set rules upon joining the wireless network.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.