Dynamic Segmentation limits.

MWinther
Here to help

Dynamic Segmentation limits.

I have a multi-domain organization with seperate AD's. No trusts allowed between their ADs. Shared office spaces for their workers.
What are the limitations to implementing Dynamic Segmentation for endpoints
in an organization like this?

Sincerely.
Mikael

2 REPLIES 2
CptnCrnch
Kind of a big deal
Kind of a big deal

Phew, where to start here? 🤔

 

Are you referring to doing the job solely via Meraki integration? You could possibly leverage their AD integrated NPS (RADIUS) server and have them give back some kind of Filter-ID attribute that you could use to provide the correct Group Policy to specific endpoints.

On the other hand, having all your "clients" handing out their own specifics might not be a good idea in your case.

 

I'd probably go with using Cisco ISE as your central point of Authentication and Authorization that is connected to each of your clients ADs (up to 50 currently). Leveraging their group structure, you could write specific policies that would be used to provide specific Meraki Group Policies to the endpoints

 

Both possibilities are similar, but you'll have way more control (and way less administrative nightmares) with the second one. After all, there are so many topics to be taken into account further so that an easy answer is almost impossible to be given with the information you provided. 🙂

 

PhilipDAth
Kind of a big deal
Kind of a big deal

You would need to deploy a RADIUS proxy server (I believe NPS could do this but I have never tried), and then a RADIUS server in each AD (could be NPS).

 

You configure the proxy to send requests for a.com to company a's RADIUS server, b.com to company b's RADIUS server, etc.

 

Then you can configure your Meraki switches to do 802.1x, and dynamically drop users into the correct VLAN.

https://documentation.meraki.com/MS/Access_Control/MS_Switch_Access_Policies_(802.1X)

https://documentation.meraki.com/MS/Access_Control/Configuring_802.1X_Access_Policies_on_MS_Switches...

 

You can also do the same thing with Meraki WiFi.  You could have a single SSID, and dynamically drop users into different VLANs.  You could instead dynamically push a group policy for the user which would allow you to configure lots and lots of settings for them.

https://documentation.meraki.com/MR/Client_Addressing_and_Bridging/VLAN_Tagging#Per-User_VLAN_Taggin...

 

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels