cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Group-policy applied to client via Cisco ISE

Getting noticed

Group-policy applied to client via Cisco ISE

Hi,

I have the following problem. I use Cisco ISE to assign group-policy to clients based on the authorization result. I can see successfully applied policy in the Client page via 802.1x. The thing is that the configured filtering (content or URL) doesn't work when the group-policy is applied via dot1x. L3 firewall works, there is no issue. When I apply group-policy manually to the client, everything works as expected. The support told me that it is expected behaviour: the policy does apply to layer 3 for the MX and the MR but not per SSID.

Suggestion is to apply policy manually or via AD.

But I would like to have it applied via dot1x. Does anybody have experience with this?

 

thank you

2 REPLIES 2
Kind of a big deal

Re: Group-policy applied to client via Cisco ISE

Applying group policy by RADIUS attribute is only for the MR as shown in the table here:

2019-05-02 11_25_32-Window.png

https://documentation.meraki.com/MX/Group_Policies_and_Blacklisting/Creating_and_Applying_Group_Poli...

 

And for the MR content filtering is not supported as shown in the table here:

2019-05-02 11_25_20-Window.png

https://documentation.meraki.com/MX/Group_Policies_and_Blacklisting/Creating_and_Applying_Group_Poli...

 

So that's why.

 

To solve your issue I'd try going at it in a different way. What about assigning a dynamic VLAN to clients and applying group policies on a VLAN basis?

Getting noticed

Re: Group-policy applied to client via Cisco ISE

Hi,

the client I test from is connected to the wifi, so dot1x should be applied as per the documentation. This works, group-policy is applied. The second table says that content filtering is not supported on the MR - correct. I expect that the content filtering in my situation is done on the MX. And if the content filtering is done on the MR then my question is why the content filtering works when I assign the group-policy manually to the client.

thank you

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.