Meraki Community

AJDINI · ‎Jan 6 2021

Meraki - ISE Secure Access - BYOD Single SSID

Regarding of this issue I found a similar configuration but between ISE and Cisco Wireless Lan Controllers. Please, I need your help to find if it could be posible the integration Meraki-ISE about the BYOD in Single SSID

I look forward to yours advices, of course, please, don't hesitate to contact me.

Thanks in advance for your help.

Best Regards
Alejandro

KarstenI · ‎Jan 6 2021

I never used it with single SSID but I do not see any reason why it should not work. In the ISE you need to distinguish the enrolment with the EAP-type. While the access is PEAP, the user is no yet enrolled. When EAP-TLS is used, the enrolment is finished.

AJDINI · ‎Jan 6 2021

First of all, thanks a lot for your answer and help.

Please, I need to know how integrate Meraki in ISE in this case.

I found some links about "ISE Secure Access Wizard - BYOD Single SSID" and "BYOD with Device Registration and Native Supplicant Provisioning" but these links talk about the integration regarding to Secure Access - BYOD Single SSID, between ISE and Cisco Wireless Lan Controllers. Please, I need your help if you know if there are any links that to show how is the integration between Meraki and ISE regarding to Secure Access - BYOD Single SSID.

Again, Thank you very much for your help.

I look forward to your answer, of course, don't hesitate to contact me.

Best Regards
Alejandro

peto · ‎Jan 6 2021

Hi, I use it with MR33 and it works with some issues connected to endpoints limitations - eg Big Sur.

The configuration is like this:

Association requirements -> Enterprise with (my radius server)
Splash page - Cisco Identity Services Engine (ISE) Authentication
the setup your radius servers and you are done from the Meraki side

PhilipDAth · ‎Jan 6 2021

I don't know the answer.

Do either of these links help?

https://documentation.meraki.com/MR/Encryption_and_Authentication/Device_Posturing_using_Cisco_ISE

https://documentation.meraki.com/MR/Encryption_and_Authentication/CWA_-_Central_Web_Authentication_w...

GIdenJoe · ‎Jan 10 2021

I believe the difficulty here is how to make sure you get a redirect-url and acl working on the Meraki AP's when your session comes int with PEAP-MSCHAP and then after the CoA get the allow any acl afterwards without redirect.

The document @PhilipDAth describes about the Client posture is a good starting point but it isn't exactly the same and does leave out some necessary details.

So the start configuration should be:
Layer 2 auth
WPA-2 enterprise with my radius server (add ISE info)
CoA enabled
Radius attribute specifying group policy: airespace-acl-name or filter-ID

Layer 3 auth (splash page)
- Cisco ISE captive portal
- Add ISE IP to walled garden

So the lowest authz rule in ISE should then have the redirect url attribute set, apparently the ACL does not matter here because the walled garden takes care of that?
Then when you add the full auth above this one with just an access accept and perhaps VLAN number or other group policy allowing all relevant traffic it should work. Group-policy in Meraki dashboard is matched by airespace-acl-name or filter-ID in ISE depending on how you configured the SSID.

This info is based on some logic, not experience or peer information 🙂

EDIT: Alex Burger to the rescue.
On his website there are two vid's that explain it.
Don't go directly to the single SSID onboarding though because alot of the configuration leans on the previous video.

First watch this one: https://wirelesslywired.com/2017/05/19/byod-with-device-registration-and-native-supplicant-provision...

Then watch this one: https://wirelesslywired.com/2017/05/30/single-ssid-byod-onboarding/

AJDINI · ‎Feb 10 2021

Hello Everyone:

My Client will be take a time to decide if They use the Splash Page in ISE.

I keep you posted when I would have news about this issue.

Thank you very much for your help.

Best Regards
Alejandro Dini