Meraki

FiorMaxi

Hi,

in a Meraki MS switches + Cisco ISE deployment with 802.1X authentication we are facind this probelm:

we are not able to see the port info in Live Logs for wired authentication (the Port column is empty) I see the AVP: t=NAS-Port(5) l=6 val=14 in radius packet to ISE but it’s not mapped successfully.

Is there a way to have the Port value filled in correctly ?

Also, if we add network devices (Meraki AP or Switches with DHCP ip address) in ISE with a single subnet object and secret we loose also the Network Device column detail (it fills only the network and not the real switch name or ap name)

Is there a way to have a better integration ?

Thank you

Max

alemabrahao

Take a look at this document.

https://community.cisco.com/t5/security-knowledge-base/how-to-integrate-meraki-networks-with-ise/ta-...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

FiorMaxi

Hi,

I've read this document but it doesn't solve the missing Port info on live logs.

BR

Max

alemabrahao

You need to import Meraki-specific RADIUS Vendor Specific Attributes into Cisco ISE.

VENDOR Meraki 29671
BEGIN-VENDOR Meraki
ATTRIBUTE Meraki-Device-Name 1 string BOTH
ATTRIBUTE Meraki-Network-Name 2 string BOTH
ATTRIBUTE Meraki-Ap-Name 3 string BOTH
ATTRIBUTE Meraki-Ap-Tags 4 string BOTH
END-VENDOR Meraki

Tuning the Cisco ISE for Meraki Networks – Karstens Cyber-Fi Blog

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

FiorMaxi

Hi,

thank you !

But where I can find Port number in the ATTRIBUTE you sent ?

Max

alemabrahao

The NAS-Port attribute (AVP: t=NAS-Port(5) l=6 val=14) does contain the port number, but it's a numeric value that represents the port index or ID as seen by the NAS (in this case, the Meraki switch).

Cisco ISE does not automatically map this numeric value to a human-readable port name (like Gig1/0/14) unless the NAS (Meraki) provides additional context.
Meraki switches do not send full interface names in standard RADIUS attributes like Cisco switches do.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

alemabrahao

Avoid using subnet objects for Meraki devices with DHCP IPs, instead, manually add each Meraki device in ISE with its hostname and MAC address.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

FiorMaxi

Hi,

I see.... this is weird... the name is Cisco Meraki ! They have to enhance the integration with ISE... Port visibility in Live Logs is a basic feature that all customers wants to have !

Max

alemabrahao

If you configure port descriptions on Meraki switches, you can use ISE's CoA policies to tag or log those descriptions, but this is limited.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

PhilipDAth

As a matter of interest, why?

I don't use Cisco ISE at all, but with other RADIUS servers, I exclusively use the subnet approach.

Meraki

Community

Meraki and ISE integration and Live Log not showing info on Port and Network Device

Meraki and ISE integration and Live Log not showing info on Port and Network Device