Meraki WiFi + ISE 3.1 + Azure AD

Here to help

Meraki WiFi + ISE 3.1 + Azure AD

Hi Guys,


One of my clients uses Meraki Wifi solution + on-prem ISE 3.1 + on-prem AD.

Everything works fine. Now, they would like to migrate to Azure AD and use it as an identity store for Radius.

The Meraki documentation below states there is an integration between ISE 3.1 and AAD, and it uses EAP-TTLS with PAP.




The question is whether someone has deployed this in real life and if there are any caveats or restrictions. What I am also trying to find is would MAC OS or IOS users be supported or only Windows-based endpoints.

Thanks so much for your help in advance!

Kind of a big deal
Kind of a big deal

If you're using user credentials it would not matter what device you are using as long as it supports EAP-TTLS/PAP on it's supplicant.


I'm not too familiar with windows stuff and AAD but if you can add machine credentials other than windows OS pc's in AAD then I don't see a reason this wouldn't work.


The flow from what I have read is as follows.
Your supplicant provides the user or machine credentials depending on the configuration via the EAP session to AAD.  Then for the authorization part, ISE makes an ROPC call to AAD to get the group member ship of the user to use in the authorization rules.

That's what I need to know, is that something that pretty much all OS are supporting? EAP-TTLS/PAP?

Would it also work with MFA?


Kind of a big deal
Kind of a big deal

EAP-TTLS is quite widely supported but you would need to test before going into production with that.
I'm not sure about MFA however keep in mind that MFA is not something you want to enforce for wireless and wired network access since every time you roam you may have to approve your connection of you're not doing a fast roam.  That would be a usability nightmare 😉

For VPN MFA is certainly a must have but the config in ISE for VPN is not something I have tried yet.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.