Meraki

R1d3rOfD0om · ‎Apr 1 2020

Hi folks,

Not sure if this is the right place, I apologize for this,

Im struggling gathering ideas on how I can make this to work

I have Cisco ISE as radius and a corporate wireless using dot1x already integrated with AD

I have deployed a MX450 as a hub and MX68 as spokes where needed,

everything is set up now, but basically what I want is to create lets say a 192.168.10.0/24 for corporate wireless simulating the internal LAN , so users on the 192.168.10.0/24 can be as if they were connected in the real corporate wireless inside the enterprise,

Under ISE settings, I need to add the appliance like if it was a WLC but its a private IP, however, the MX68 gets a public IP

Under ISE which private IP do I use? the HUB or the individual spokes MX68s? they use a public fake IP randomly assigned by the HUB

Im new to this meraki tech, so not sure how to make that work.

My issue is how can I make a communication from the internal ISE private IP to the MX?

is it each MX that I need to ad as network device under ISE? or just the HUB and the hub can give orders to each MX68?

is there any documentation that shows ideas?

so in summary is which MX private IP do I use to set ISE? if they all have public ones

in other words, how can I move my current private wireless SSIDs currently working to the MX68 and being authenticated to ISE?

GIdenJoe · ‎Apr 2 2020

Why exactly would you want your MX to communicate with ISE to change wireless clients VLAN?

Normally you let your AP's communicate with ISE to decide which VLAN they are on.

Assume that on every site you use VLAN 101 as corporate and VLAN 102 as guest.

You can have ISE return a filter-id to the requestion access point that points to the name of a group-policy (which is a construct defined under network-wide/group policies) In that group-policy you define VLAN 101 and access-list entries for filtering.

You will however need to define all your AP's in ISE or at least their subnets.

But if you have a site with VLANs that are different you can put those AP's inside a group in ISE so they receive another authorization profile with the other VLAN settings.

R1d3rOfD0om · ‎Apr 2 2020

Thanks Sir,

I see, I was confused thinking still of the Cisco Wireless Controller, I thought the MX450 acts as a controller for that purpose,

The current wifi infra is

ISE as radius

WLC added as network device in ISE

Cisco APs connected to WLC using flexconnect, so we use a native vlan for registering each AP to WLC, one subnet for corp and one subnet for guest access

so, if my logic is right, in the meraki world, this does not exist anymore,

Im confused because in ISE need to add the Meraki AP as a network device

lets say I create a new network template, assign vlans and subnets, input the correct parameters for WPA2, etc and radius which is the ISE

which IP do I assign as network device in ISE?

the way is now, its a template based on the network but the meraki AP gets a public IP

Do i need to create a new subnet under security and SD-WAN and make it to act as management IP ?

or which IP do I use to be added under ISE?

sorry if Im not providing the info, but if you need anything else, please let me know

GIdenJoe · ‎Apr 2 2020

I see in you Cisco deployment you are already using flexconnect local switching which closely aligns with what Meraki AP's do. The difference is you are probably doing local switch with central auth which makes your WLC the authenticator instead of the AP.

So following your flexconnect knowledge, think about local authentication as being the default for Meraki AP.

So each AP will talk to ISE using it's LOCAL IP.

Basically do the same like you have been.
Provision a VLAN for your AP management per site and use trunks to all AP's. Native VLAN being the management of your AP's and allowed VLANs every possible VLAN you want to use for client traffic even if it's dynamically given by ISE.

Then in ISE configure those entire AP management subnets in network devices with a shared key so the AP's are allowed to talk to ISE.

Then you can even do a test of a user in the SSID access control configuration.

Finally make your authz profiles. You can't use VLAN assignments directly with AP's afaik. You need to define a filter-id pointing to a group-policy configured in Meraki Dashboard and that contains the correct VLAN.

PhilipDAth · ‎Apr 2 2020

>Im confused because in ISE need to add the Meraki AP as a network device

Typically you specify a supernet for all the APs that can exist, such as 172.16.0.0/8, for the RADIUS client. This then allows any AP in that supernet to authenticate, and you don't have to configure a RADIUS client for each AP seperately.

R1d3rOfD0om · ‎Apr 2 2020

thanks for the info,

let me try to create a new template and start testing to see how it goes

Regards,

R1d3rOfD0om · ‎Apr 22 2020

Sorry for the late reply, just wanted to give you an update, it was such a simple click, I was overwhelming myself coming from ISE world, but yes, it worked by adding the network of the network attached to the network template and it worked, thanks so much for your advise everyone

GIdenJoe · ‎Apr 22 2020

Great 🙂

I don't see how you can still get overwhelmed when you're coming FROM the ISE world but oh well 😉

Meraki

Community

ISE with and MX450

ISE with and MX450