Meraki

Community

Meraki MS Wired Posture with Cisco ISE

charles07
Getting noticed
‎Dec 27 2023 1:38 AM
‎Dec 27 2023 1:38 AM

Meraki MS Wired Posture with Cisco ISE

The below document outlines detailed steps to configure Wired device 802.1x Posture with Cisco ISE. The switch used is Meraki MS Switch.
Before proceeding check the meraki MS switch compatibility with Cisco ISE here - https://community.cisco.com/t5/security-knowledge-base/how-to-integrate-meraki-networks-with-ise/ta-...
Ensure the switch has Group Policy ACL, URL Redirect and COA features available. ISE posturing would not work without these features. 

I couldn't find a comprehensive document to setup the wired posture, hence I created one as per the setup I have done.

 

The first configuration is to be done in Meraki MS switch. 
Meraki MS Switch Configuration

  1. Login to Meraki Dashboard
  2. Switching >Configure>policies
  3. Enter configuration as below
    The name of the Access policy should be used in ISE Redirection ACL
    Enter ISE IP in Radius server field and test the connectivity. Ensure Radius attribute “Filter-Id” is selected as it's the key to this setup. The Airespace-ACL-Name from ISE passed on to MS via this attribute. Note: as of now Dec 2023, Meraki MS switches does not have DACL supported.
    MR1.jpg
  4. Go to Switching > Monitor > Switch ports
    MR2.jpg
  5. Select the Access Policy created above
    MR3.jpg
    You can as many ports required for Wired posture

Cisco ISE Configuration

  1. ISE > Work Centres > Posture > Network Devices
    Add the Meraki Switch IP and configure Radius authentication settings
  2. ISE > Work Centres > Posture >Policy Elements>Allowed protocols
    Add new 
    Select required EAP protocols only ( I had selected all for time being), rest all were default settings.
    Read the section “Choosing an EAP Method” from here - https://www.intel.com/content/www/us/en/support/articles/000006999/wireless/legacy-intel-wireless-pr....
    MR4.jpgMR4.jpg
  3. ISE > Work Centres > Posture >Policy Elements>Downloadable ACL
    Create Three ACL for unknown, non complaint and complaint status
    Unknown_DACL
    permit udp any eq bootpc any eq bootps
    permit udp any any eq 53
    permit ip any host <ISE IP>
    permit tcp any host <ISE IP>
    deny ip any any
    deny tcp any any

    Non Complaint ACL
    permit udp any eq bootpc any eq bootps
    permit udp any any eq 53
    permit ip any host <ISE IP>
    deny ip any <LAN NW> 0.0.255.255

    Third ACL can be default permit all IPV4 traffic ACL
  4. ISE > Work Centres > Posture >Policy Elements>Authorization Profiles
    Create three auth profiles for unknown, non complaint and complaint status
    Profile_Unknown
    Select DACL Name as Unknown_DACL
    Select Web Redirection as below;
    MR5.jpg
    The key to this setup is the ACL name in the above screenshot. The ACL name should be exactly same as the one created in Meraki MS switch access policies. Refer Step 3 in this document
    For the value choose a ISE portal. You can create a new portal from ISE > Work Centres > Posture >Client provisioning>Client provisioning portal
    Final result should be as below;
    MR51.jpg
    Non Complaint profile
    MR52.jpg
    Compliant Profile
    MR53.jpg
  5. Navigate to Work Centers > Posture > Client Provisioning
    Click Resources
    Click Add > Agent resources from local disk
    Select Category > Cisco Provided packages
    Click Browse
    Locate the AnyConnect or Secure Client head-end .pkg package file and upload
    (**you need to download this from software.cisco.com)
    Click Submit, click Confirm when prompted
    Click Add > Agent resources from Cisco Site
    Locate the AnyConnect Compliance Module windows and save
    Click Submit, click Confirm when prompted
  6. ISE > Work Centres > Posture >Client Provisioning>Resources
    Create new Agent Posture Profile
    Give Discovery host to ISE IP address
    Server name rules to ISE FQDN address
    Call Home List to ISE IP address
    Leave everything else default and save
  7. ISE > Work Centres > Posture >Client Provisioning>Resources
    Create new Agent configuration
    Select agent package and compliance module from drop down
    Select ISE posture under “Cisco Secure Client Module Selection”
    In the Profile Selection select “ISE Posture, Network Access Manager, Network Visibility” from drop down
  8. ISE > Work Centres > Posture >Client Provisioning>Client Provisioning Policy
    Create new policy and set result to anyconnect agent profile you created above
    Select required operating system or required conditions
    Ensure to enable the policy, enabled policy will have a tick mark on the left side.
  9. Now Open Policy sets and create a new policy set
    Selected Allowed protocols as the one created in above step
  10. Expand the policy set
    Create new Authentication policy
    In the conditions, select Wired_802.1x and Wired_MAB (with or condition)
    Select your required use rid store, internal or AD
    MR6.jpg
  11. Open authorization policy and create three new policies as below;
    MR7.jpg
  12. Save the policy
  13. ISE > Work Centres > Posture >Policy Elements>Conditions
    Create your required condition. I have created a simple file condition;
    MR8.jpg
  14. ISE > Work Centres > Posture >Policy Elements>Requirements
    Create a requirement referring to the condition you created above. Give remediation action as message text.
    Select your required operating system, Agent type, compliance module version etc
  15. ISE > Work Centres > Posture >Posture Policy
    Create a new policy referring to the requirement above.
    Select your required operating system, Agent type etc
    Ensure to enable the policy, enabled policy will have a tick mark on the left side.

Endpoint Configuration
For 802.1x authentication to work client system network adapter should be configured as below. You can choose which EAP authentication to use. For this setup I am using basic EAP authentication without certificates.

EAP-TLS: relies on client-side and server-side certificates to perform mutual authentication. This is considered one of the strongest EAP types however, it requires each and every client to have a certificate pre-installed.
EAP-PEAP: requires only server-side certificates for the client to authenticate the authentication server. PEAP is known as a tunneled EAP type because it first establishes an outer tunnel using TLS and then sends the credentials via an inner tunnel. The inner tunnel can be virtually any EAP type but the widely used inner method is MSCHAPV2.
EAP-FAST: is very similar to PEAP, it first establishes an outer TLS tunnel. Inside this encrypted tunnel, a secondary inner EAP method (such as MSCHAPv2) is used to authenticate the user.

MR9.jpg

MR10.jpg

MR11.jpg

MR12.jpg

 

Testing the Setup
Connect a laptop to the switch port and access any website. You should be redirected to the ISE portal as in below screenshots.
You can download the IE secure client from the redirected portal and install in the laptop.
Once installed, the client checks for posture compliance and permits you to the network.

MR13.jpg

MR14.jpg

MR15.jpg

MR16.jpg

 

MR17.jpg

Labels:
7 Replies 7
DarrenOC
Kind of a big deal
Kind of a big deal
‎Dec 27 2023 2:49 AM
‎Dec 27 2023 2:49 AM

Hi @charles07 , are these your own notes from your lab or recent installation?

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
0 Kudos
In response to DarrenOC
charles07
Getting noticed
‎Dec 27 2023 3:24 AM
‎Dec 27 2023 3:24 AM

@DarrenOC it's based on an installation I have done.

0 Kudos
In response to charles07
KarstenI
Kind of a big deal
Kind of a big deal
‎Dec 27 2023 3:33 AM
‎Dec 27 2023 3:33 AM

Then I really would re-think about not requiring the validation of the server certificate. This is the number one attack vector for 802.1X implementations.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Kudos
rhbirkelund
Kind of a big deal
Kind of a big deal
‎Dec 27 2023 7:49 AM
‎Dec 27 2023 7:49 AM

I'd just like to say awesome post! Thank you for sharing your notes on this! It's going to be very helpful for future setups with ISE.

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
GIdenJoe
Kind of a big deal
Kind of a big deal
‎Dec 27 2023 11:36 PM
‎Dec 27 2023 11:36 PM

I have a question about your compliant and non-compliant DACL's.  I thought MS switches do not support DACL's only referenced group policy ACL's through Filter-ID.

0 Kudos
In response to GIdenJoe
charles07
Getting noticed
‎Dec 27 2023 11:42 PM
‎Dec 27 2023 11:42 PM

@GIdenJoe as of Meraki MS do not support DACLs, but it acquires the ISE DACLs using the filter-id param. The Meraki cloud controller can be configured to look for 1 of 3 compatible RADIUS messages from Cisco ISE:  Filter-ID, Airespace-ACL-Name and Reply-Message

0 Kudos
In response to charles07
GIdenJoe
Kind of a big deal
Kind of a big deal
‎Dec 28 2023 1:10 AM
‎Dec 28 2023 1:10 AM

Aren't those supposed to already be on the switches? DACL's and Filter-ID's are two different solutions to the same problem.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.