Question about Vendor MAC based VLAN Access

JoachimGebhardt
Here to help

Question about Vendor MAC based VLAN Access

Hey,

 

for some project, we try to figure out, how to do a Vendor MAC based VLAN Access with Meraki MS best.

 

Examples:

All Printers - VLAN 100

Vendor X - MAC 00:01:AA

Vendor Y - MAC 03:05:AA

 

All Phones - VLAN 200

.....

 

We already did some Test with NPS Radius, Packetfence but we are not happy at all.

 

Maybe you have some ideas for us.

 

Thanks in Advance

CMNA, CMSS
5 Replies 5
alemabrahao
Kind of a big deal
Kind of a big deal

The best tool for your case is Cico ISE.

 

https://community.cisco.com/t5/security-knowledge-base/how-to-integrate-meraki-networks-with-ise/ta-...

 

https://community.cisco.com/t5/security-knowledge-base/dynamic-attribute-with-ise-mac-address-matchi...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
KarstenI
Kind of a big deal
Kind of a big deal

+1 for Cisco ISE, MAC-based access is easy and the ISE will make it much easier than for example NPS to move to 802.1X later.

JoachimGebhardt
Here to help

OK, thanks for your replies.

 

As I figured out, we will need ISE Advantage Licenses for profiling. Am I right?

CMNA, CMSS
KarstenI
Kind of a big deal
Kind of a big deal

Yes, Advantage or "better" is needed for profiling. But only for the devices that get their authorisation by elements from profiling.

KarstenI
Kind of a big deal
Kind of a big deal

But you only need profiling if you want the system to detect the type of device. If you are willing to classify your MAC-addresses into groups manually (or by import from a CSV where the mapping is available), the Essentials-license is enough. And that license is quite cheap.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels