ACCESS CONTROL

SopheakMang
Building a reputation

ACCESS CONTROL

Dear Experts ,

 

I want to ask related to access-control on meraki MX ,

 

i see the options that we can use radius server and have the server ip field in the option.

 

For example if we have cisco ISE ,if i'm not wrong , on Meraki MX we input ise ip address as radius server ,

and in the ise NAD (client) put wan ip of Meraki mx ?

 

because Meraki MX , there is a hint show that , dashboard must need to reach to radius server too.

 

i'm not really sure on this , pls help verify , thanks

4 Replies 4
KRobert
Head in the Cloud

Hi @SopheakMang,

 

Are you talking about 802.1x access control? If so, then yes, you are correct when it comes to how to setup Cisco ISE. You need to create you policies in ISE, then when you are ready, add the MX IP address with the Radius credentials as a NAD in ISE, then on the desired switchport/SSID on the MX, add the ISE server IP, secret key, and ports.

 

Here is a KB article to assist as well.

https://community.cisco.com/t5/security-documents/how-to-integrate-meraki-networks-with-ise/ta-p/361...

CMNO, CCNA R+S
SopheakMang
Building a reputation

Hi bro ,

As i check in MX dashborad , there is a hint.

The Meraki cloud must be able to communicate with your RADIUS servers via the Internet.

Please make sure that:

Your RADIUS servers have public IP addresses (i.e., they are reachable on the Internet).
Your firewall, if any, allows incoming traffic to your RADIUS servers.
You whitelist IP addresses as clients on your RADIUS server as per the firewall information page

As reading , seem like ise need to be reachable from the cloud ?
what does it mean ?
MerakiDave
Meraki Employee
Meraki Employee

What I think that is referring to is if/when you have a customer-hosted RADIUS on your premises, then you would need to open up UDP/1812 inbound on your perimeter firewall in order for outside clients to be able to authenticate inbound against your RADIUS server. 

 

Not sure if that was the design you were implementing but if that's how you have it configured, it should be reflected under Help > Firewall Rules.  This is typically seen when configuring splash page sign-on via RADIUS.  

 

Alternatively, maybe you were looking to simply have the SSID auth against your internal RADIUS, so perhaps this doesn't involve splash or opening up anything from the outside to get to your RADIUS.  Maybe it's just in the association section (not the splash page section) that you choose Enterprise auth with my RADIUS server, and then if you want you could still have a click-thru splash page.  Sorry if I misunderstood the question.  Some pretty good docs on this also https://documentation.meraki.com/Special:Search?q=radius 

HungNguyen
Comes here often

Hi @KRobert,

 

And how about sending configuration through API?
I've automation project related to Meraki MX Access Control and really appreciate if you've documentation about this subject 🙂
Note: I've already checked this document: https://developer.cisco.com/meraki/api but none of it has MX Access Control API (including GET & POST method)

Thanks in advance

Get notified when there are additional replies to this discussion.