Meraki AP(NAD) group policy working not properly

SOLVED
MakaraMEAS
Getting noticed

Meraki AP(NAD) group policy working not properly

Dear community,

I just tested group policy which integrate with Cisco ISE, I notice that sometime it match not properly. Sometime it match the group policy that wish to apply, sometime it match default or not automatic move from one group policy group base on authorization requirement. I have opened case with TAC as well but they said configuration all fine.
If you have the same experience, please kindly share the solutions or any resource configuration both Meraki MR and Cisco ISE.

Thanks,
Makara MEAS.

M.MAKARA
1 ACCEPTED SOLUTION

Is this for a 802.1x or something else, like a splash page?

 

802.1x does not have access to anything prior to authentication, in any environment, Meraki or otherwise.  You have to authenticate just to get an IP address.

 

If this is some kind of splash page setup, you would have default global rules allowing access to AD/DNS, and then have the user authenticate, and then push a group policy with the new group policy to use with the new access rules.

 

It's not clear to me what method you are using, but perhaps these Meraki guides might be of help (the first is using MAC bypass, the second is using WPA2-Enterprise mode):

https://documentation.meraki.com/MR/Encryption_and_Authentication/CWA_-_Central_Web_Authentication_w... 

https://documentation.meraki.com/MR/Encryption_and_Authentication/Device_Posturing_using_Cisco_ISE 

View solution in original post

10 REPLIES 10
SopheakMang
Building a reputation

cool nas

How?

M.MAKARA
SopheakMang
Building a reputation

Yerng chea pi na ke ?

alemabrahao
Kind of a big deal
Kind of a big deal

@MakaraMEAS  the ACL on Cisco ISE and Group Policy on Meraki Dashboard has to have the same name.

 

https://community.cisco.com/t5/security-documents/how-to-integrate-meraki-networks-with-ise/ta-p/361....

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

I got you, it require the same name. But in testing environment it is not smooth to rollout for production.
From your experience it is working fine?

M.MAKARA

Yep, It has been working fine. 🙂

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Okay cool, maybe my configuration issue with MR.

M.MAKARA

We design (802.1x) group policy for authentication and authorization like below:
authentication: group policy permit only access to AD/DNS only

after authentication success:
authorization: group policy permit specific destination/service.

You know when it move from authentication to full authorization sometime not smooth.

M.MAKARA

Is this for a 802.1x or something else, like a splash page?

 

802.1x does not have access to anything prior to authentication, in any environment, Meraki or otherwise.  You have to authenticate just to get an IP address.

 

If this is some kind of splash page setup, you would have default global rules allowing access to AD/DNS, and then have the user authenticate, and then push a group policy with the new group policy to use with the new access rules.

 

It's not clear to me what method you are using, but perhaps these Meraki guides might be of help (the first is using MAC bypass, the second is using WPA2-Enterprise mode):

https://documentation.meraki.com/MR/Encryption_and_Authentication/CWA_-_Central_Web_Authentication_w... 

https://documentation.meraki.com/MR/Encryption_and_Authentication/Device_Posturing_using_Cisco_ISE 

Thank you, your link is useful for me.
I just wonder why it sometime not switch from one rule to one rule not properly. sometime it match to general group policy, which is not the requirement.

M.MAKARA
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels