Regarding of this issue I found a similar configuration but between ISE and Cisco Wireless Lan Controllers. Please, I need your help to find if it could be posible the integration Meraki-ISE about the BYOD in Single SSID
I look forward to yours advices, of course, please, don't hesitate to contact me.
I never used it with single SSID but I do not see any reason why it should not work. In the ISE you need to distinguish the enrolment with the EAP-type. While the access is PEAP, the user is no yet enrolled. When EAP-TLS is used, the enrolment is finished.
First of all, thanks a lot for your answer and help.
Please, I need to know how integrate Meraki in ISE in this case.
I found some links about "ISE Secure Access Wizard - BYOD Single SSID" and "BYOD with Device Registration and Native Supplicant Provisioning" but these links talk about the integration regarding to Secure Access - BYOD Single SSID, between ISE and Cisco Wireless Lan Controllers. Please, I need your help if you know if there are any links that to show how is the integration between Meraki and ISE regarding to Secure Access - BYOD Single SSID.
Again, Thank you very much for your help.
I look forward to your answer, of course, don't hesitate to contact me.
I believe the difficulty here is how to make sure you get a redirect-url and acl working on the Meraki AP's when your session comes int with PEAP-MSCHAP and then after the CoA get the allow any acl afterwards without redirect.
The document @PhilipDAth describes about the Client posture is a good starting point but it isn't exactly the same and does leave out some necessary details.
So the start configuration should be: Layer 2 auth WPA-2 enterprise with my radius server (add ISE info) CoA enabled Radius attribute specifying group policy: airespace-acl-name or filter-ID
Layer 3 auth (splash page) - Cisco ISE captive portal - Add ISE IP to walled garden
So the lowest authz rule in ISE should then have the redirect url attribute set, apparently the ACL does not matter here because the walled garden takes care of that? Then when you add the full auth above this one with just an access accept and perhaps VLAN number or other group policy allowing all relevant traffic it should work. Group-policy in Meraki dashboard is matched by airespace-acl-name or filter-ID in ISE depending on how you configured the SSID.
This info is based on some logic, not experience or peer information 🙂
EDIT: Alex Burger to the rescue. On his website there are two vid's that explain it. Don't go directly to the single SSID onboarding though because alot of the configuration leans on the previous video.