MS390 Adaptive Policy NAC support

MariachiGuy
Conversationalist

MS390 Adaptive Policy NAC support

I have a question regarding the policy support for the MS390 and Adaptive Policy.  Wondering if ISE is the only supported solution or if other competitive solutions are supported to build the policies.  I have a customer asking this.  Thanks

4 REPLIES 4
GIdenJoe
Kind of a big deal
Kind of a big deal

ISE provides the Authorization in this case by matching a session based on user credentials and context.  ISE usually also has the SGT's.  But the policies are defined in dashboard.  Because it's there you will say which SGT can reach which SGT or not.

 

I could be wrong but I believe if your own radius solution can return the correct av-pair to the switch you could assign SGT's to usersessions.

PhilipDAth
Kind of a big deal
Kind of a big deal

Also note you don't need to use a RADIUS server at all.  You can assign the SGT (aka group) via the dashboard.

 

I don't see why other RADIUS servers wouldn't work (assuming you are using 802.1x).  It just needs to be able to return the attribute.

Great.  Thank you both for your quick responses

WirelesslyWired
Meraki Employee
Meraki Employee

ISE is not required but does make assigning SGTs to an Access_accept incredibly easy. You can assign tags in a few ways. 1. Statically to a switchport or an SSID, dynamically via RADIUS av-pair, and in the near future, you will be able to create Network Object Groups and map them to SGTs as a fallback tagging mechanism.

CCIEw# 45253 / CWNE# 249 / Principal TME - Meraki Product
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels