ACL migration from WLC to Meraki Group policies for ISE posturing and CoA

SOLVED
Madhan_kumar_G
Conversationalist

ACL migration from WLC to Meraki Group policies for ISE posturing and CoA

Hi,

ISE is used for posturing.

During migration from Cisco WLC to Meraki Wireless, existing setup has ACLs created in WLC. Now we are configuring similar group policies in Meraki. Using Airspace ACL attribute for deciding the ACL.
 Do we have to keep permit and deny as it is in WLC or need to inverse them in Meraki?
Confusion is because of redirect ACLs
Please clarify.

1 ACCEPTED SOLUTION
GIdenJoe
Kind of a big deal

Meraki does not use the concept of redirect ACL.  This document outlines your use case https://documentation.meraki.com/MR/Encryption_and_Authentication/Device_Posturing_using_Cisco_ISE

 

Basically you need to choose the ISE portal authentication and the URL that is passed from ISE will be used.
Don't forget to put ISE IP's in the walled garden to avoid having the redirect loop (which kind of acts as your preauth ACL).

If you apply any ACL AFTER authentication you will have to pass Filter-ID or Airespace-ACL which have regular permits and denies and will not be inverted.

View solution in original post

1 REPLY 1
GIdenJoe
Kind of a big deal

Meraki does not use the concept of redirect ACL.  This document outlines your use case https://documentation.meraki.com/MR/Encryption_and_Authentication/Device_Posturing_using_Cisco_ISE

 

Basically you need to choose the ISE portal authentication and the URL that is passed from ISE will be used.
Don't forget to put ISE IP's in the walled garden to avoid having the redirect loop (which kind of acts as your preauth ACL).

If you apply any ACL AFTER authentication you will have to pass Filter-ID or Airespace-ACL which have regular permits and denies and will not be inverted.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels