Profiling

arom
Here to help

Profiling

Hello team!
 
I'm researching on what type of profiling capabilities there is when using Meraki (in this case MS120) and NAC/ZT solution.
 
I've looked into Cisco ISE, Forescout, Aruba Clearpass and FortiNAC.
 
Looking at the official Cisco ISE support for profiling, there is basically only support for LLDP/CDP and RADIUS calling-stations-id attribute (https://community.cisco.com/t5/security-knowledge-base/how-to-integrate-meraki-networks-with-ise/ta-...).
Other vendors, like Aruba and Forescout, tells me they can fetch information from Merakis API to get profiling information on devices and use that information to perform decisions on authorizations.
 
So my questions is:
1. Anyone knows why there is no official support for Cisco ISE integrating with Meraki's API over pxGrid?
2. Has anyone tried integrating Meraki's API to NAC-solutions, like above mentioned, for profiling purposes, and what was the result? Did it work as expected and what kind of capabilities can you expect?
 
Thanks and best regards,
arom
8 Replies 8
alemabrahao
Kind of a big deal
Kind of a big deal

These are questions that I believe only Meraki's engineering team will know how to answer.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Yeah maybe! Just wanted to see if anyone in the community had some experience around this.

alemabrahao
Kind of a big deal
Kind of a big deal

I believe this documentation can help you.

 

https://community.cisco.com/t5/security-knowledge-base/how-to-integrate-meraki-networks-with-ise/ta-...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

I have read this article (have a link to it in the post). The last section explains the limited profiling capabilities with Meraki and ISE, but I want to believe there is more support to it with pxGrid or similar, as other vendors have solved it!

PhilipDAth
Kind of a big deal
Kind of a big deal

I don't know the answer.

 

With AnyConnect there is an "ISE Compliance" module.  This can talk to ISE, letting ISE get detailed information about the machine.  I've never used this module.
There is also a NAM module, which is basically 802.1x but integrated into the same AnyConnect and compliance environment.

You can use both of these without the VPN module.

 

Also note that the whole system is now called "Cisco Secure Client".

 

There is some info about using it here:
https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/usecase/endpoint-compliance-using-sec... 

Thanks. Im very familiar with these modules and worked with them before. The modules are great but only works on devices that have support for an agent. The profiling scenarios i'm interested in has to agent-less as most devices that are of interest can't run an agent unfortunately.

Thank you for the link, I appreciate you.

arom
Here to help

I want to thank you for your responses and help with the questions I had. I will create a case to Meraki and Cisco to see if there is a way to use ISE pxGrid to fetch information from Meraki's API and use that information to make decisions about authorizations.

If anyone is interested in this use case, I can return later to this post and summarize my findings 🙂

 

Best regards,

arom

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels