cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Meraki - ISE Secure Access - BYOD Single SSID

New here

Meraki - ISE Secure Access - BYOD Single SSID

 

Meraki - ISE Secure Access - BYOD Single SSID

 

Regarding of this issue I found a similar configuration but between ISE and Cisco Wireless Lan Controllers. Please, I need your help to find if it could be posible the integration Meraki-ISE about the BYOD in Single SSID

 

I look forward to yours advices, of course, please, don't hesitate to contact me.

 

Thanks in advance for your help.

 

Best Regards
Alejandro

5 REPLIES 5
Head in the Cloud

Re: Meraki - ISE Secure Access - BYOD Single SSID

I never used it with single SSID but I do not see any reason why it should not work. In the ISE you need to distinguish the enrolment with the EAP-type. While the access is PEAP, the user is no yet enrolled. When EAP-TLS is used, the enrolment is finished.

New here

Re: Meraki - ISE Secure Access - BYOD Single SSID


First of all, thanks a lot for your answer and help.

 

Please, I need to know how integrate Meraki in ISE in this case.

 

I found some links about "ISE Secure Access Wizard - BYOD Single SSID" and "BYOD with Device Registration and Native Supplicant Provisioning" but these links talk about the integration regarding to Secure Access - BYOD Single SSID, between ISE and Cisco Wireless Lan Controllers. Please, I need your help if you know if there are any links that to show how is the integration between Meraki and ISE regarding to Secure Access - BYOD Single SSID.

 

Again, Thank you very much for your help.

 

I look forward to your answer, of course, don't hesitate to contact me.

 

Best Regards
Alejandro

 

Getting noticed

Re: Meraki - ISE Secure Access - BYOD Single SSID

Hi, I use it with MR33 and it works with some issues connected to endpoints limitations - eg Big Sur.

The configuration is like this:

Association requirements -> Enterprise with (my radius server)
Splash page - Cisco Identity Services Engine (ISE) Authentication
the setup your radius servers and you are done from the Meraki side

Kind of a big deal
Head in the Cloud

Re: Meraki - ISE Secure Access - BYOD Single SSID

I believe the difficulty here is how to make sure you get a redirect-url and acl working on the Meraki AP's when your session comes int with PEAP-MSCHAP and then after the CoA get the allow any acl afterwards without redirect.

The document @PhilipDAth describes about the Client posture is a good starting point but it isn't exactly the same and does leave out some necessary details.

So the start configuration should be:
Layer 2 auth
WPA-2 enterprise with my radius server (add ISE info)
CoA enabled
Radius attribute specifying group policy: airespace-acl-name or filter-ID

Layer 3 auth (splash page)
- Cisco ISE captive portal
- Add ISE IP to walled garden

So the lowest authz rule in ISE should then have the redirect url attribute set, apparently the ACL does not matter here because the walled garden takes care of that?
Then when you add the full auth above this one with just an access accept and perhaps VLAN number or other group policy allowing all relevant traffic it should work.  Group-policy in Meraki dashboard is matched by airespace-acl-name or filter-ID in ISE depending on how you configured the SSID.

This info is based on some logic, not experience or peer information 🙂


EDIT: Alex Burger to the rescue.
On his website there are two vid's that explain it.
Don't go directly to the single SSID onboarding though because alot of the configuration leans on the previous video.

First watch this one: https://wirelesslywired.com/2017/05/19/byod-with-device-registration-and-native-supplicant-provision...

Then watch this one: https://wirelesslywired.com/2017/05/30/single-ssid-byod-onboarding/

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.