Meraki Community

arom · ‎Nov 26 2023

Hello team!

I'm researching on what type of profiling capabilities there is when using Meraki (in this case MS120) and NAC/ZT solution.

I've looked into Cisco ISE, Forescout, Aruba Clearpass and FortiNAC.

Looking at the official Cisco ISE support for profiling, there is basically only support for LLDP/CDP and RADIUS calling-stations-id attribute (https://community.cisco.com/t5/security-knowledge-base/how-to-integrate-meraki-networks-with-ise/ta-...).

Other vendors, like Aruba and Forescout, tells me they can fetch information from Merakis API to get profiling information on devices and use that information to perform decisions on authorizations.

So my questions is:

1. Anyone knows why there is no official support for Cisco ISE integrating with Meraki's API over pxGrid?

2. Has anyone tried integrating Meraki's API to NAC-solutions, like above mentioned, for profiling purposes, and what was the result? Did it work as expected and what kind of capabilities can you expect?

Thanks and best regards,

arom

alemabrahao · ‎Nov 26 2023

These are questions that I believe only Meraki's engineering team will know how to answer.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

arom · ‎Nov 26 2023

Yeah maybe! Just wanted to see if anyone in the community had some experience around this.

alemabrahao · ‎Nov 26 2023

I believe this documentation can help you.

https://community.cisco.com/t5/security-knowledge-base/how-to-integrate-meraki-networks-with-ise/ta-...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

arom · ‎Nov 26 2023

I have read this article (have a link to it in the post). The last section explains the limited profiling capabilities with Meraki and ISE, but I want to believe there is more support to it with pxGrid or similar, as other vendors have solved it!

PhilipDAth · ‎Nov 26 2023

I don't know the answer.

With AnyConnect there is an "ISE Compliance" module. This can talk to ISE, letting ISE get detailed information about the machine. I've never used this module.
There is also a NAM module, which is basically 802.1x but integrated into the same AnyConnect and compliance environment.

You can use both of these without the VPN module.

Also note that the whole system is now called "Cisco Secure Client".

There is some info about using it here:
https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/usecase/endpoint-compliance-using-sec...

arom · ‎Nov 26 2023

Thanks. Im very familiar with these modules and worked with them before. The modules are great but only works on devices that have support for an agent. The profiling scenarios i'm interested in has to agent-less as most devices that are of interest can't run an agent unfortunately.

GabeWaters · ‎Dec 11 2023

Thank you for the link, I appreciate you.

arom · ‎Nov 27 2023

I want to thank you for your responses and help with the questions I had. I will create a case to Meraki and Cisco to see if there is a way to use ISE pxGrid to fetch information from Meraki's API and use that information to make decisions about authorizations.

If anyone is interested in this use case, I can return later to this post and summarize my findings 🙂

Best regards,

arom

Meraki Community

Profiling

Profiling