Meraki Community

MariachiGuy · ‎May 18 2020

I have a question regarding the policy support for the MS390 and Adaptive Policy. Wondering if ISE is the only supported solution or if other competitive solutions are supported to build the policies. I have a customer asking this. Thanks

GIdenJoe · ‎May 18 2020

ISE provides the Authorization in this case by matching a session based on user credentials and context. ISE usually also has the SGT's. But the policies are defined in dashboard. Because it's there you will say which SGT can reach which SGT or not.

I could be wrong but I believe if your own radius solution can return the correct av-pair to the switch you could assign SGT's to usersessions.

PhilipDAth · ‎May 18 2020

Also note you don't need to use a RADIUS server at all. You can assign the SGT (aka group) via the dashboard.

I don't see why other RADIUS servers wouldn't work (assuming you are using 802.1x). It just needs to be able to return the attribute.

MariachiGuy · ‎May 18 2020

Great. Thank you both for your quick responses

WirelesslyWired · ‎May 29 2020

ISE is not required but does make assigning SGTs to an Access_accept incredibly easy. You can assign tags in a few ways. 1. Statically to a switchport or an SSID, dynamically via RADIUS av-pair, and in the near future, you will be able to create Network Object Groups and map them to SGTs as a fallback tagging mechanism.

CCIEw# 45253 / CWNE# 249 / Principal TME - Meraki Product

Meraki Community

MS390 Adaptive Policy NAC support

MS390 Adaptive Policy NAC support