Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Meraki WiFi + ISE 3.1 + Azure AD

GP185
Here to help
‎May 29 2023 10:28 PM
‎May 29 2023 10:28 PM

Meraki WiFi + ISE 3.1 + Azure AD

Hi Guys,

 

One of my clients uses Meraki Wifi solution + on-prem ISE 3.1 + on-prem AD.

Everything works fine. Now, they would like to migrate to Azure AD and use it as an identity store for Radius.

The Meraki documentation below states there is an integration between ISE 3.1 and AAD, and it uses EAP-TTLS with PAP.

 

@https://documentation.meraki.com/MR/Meraki_WiFi_in_a_Box_Design_Guide_(CVD)

 

The question is whether someone has deployed this in real life and if there are any caveats or restrictions. What I am also trying to find is would MAC OS or IOS users be supported or only Windows-based endpoints.

Thanks so much for your help in advance!

0 Kudos
Subscribe
3 Replies 3
GIdenJoe
Kind of a big deal
Kind of a big deal
‎May 30 2023 12:34 PM
‎May 30 2023 12:34 PM

If you're using user credentials it would not matter what device you are using as long as it supports EAP-TTLS/PAP on it's supplicant.

 

I'm not too familiar with windows stuff and AAD but if you can add machine credentials other than windows OS pc's in AAD then I don't see a reason this wouldn't work.

 

The flow from what I have read is as follows.
Your supplicant provides the user or machine credentials depending on the configuration via the EAP session to AAD.  Then for the authorization part, ISE makes an ROPC call to AAD to get the group member ship of the user to use in the authorization rules.

0 Kudos
Subscribe
In response to GIdenJoe
GP185
Here to help
‎Jun 5 2023 4:39 PM
‎Jun 5 2023 4:39 PM

That's what I need to know, is that something that pretty much all OS are supporting? EAP-TTLS/PAP?

Would it also work with MFA?

Thanks.

0 Kudos
Subscribe
In response to GP185
GIdenJoe
Kind of a big deal
Kind of a big deal
‎Jun 6 2023 12:03 PM
‎Jun 6 2023 12:03 PM

EAP-TTLS is quite widely supported but you would need to test before going into production with that.
I'm not sure about MFA however keep in mind that MFA is not something you want to enforce for wireless and wired network access since every time you roam you may have to approve your connection of you're not doing a fast roam.  That would be a usability nightmare 😉

For VPN MFA is certainly a must have but the config in ISE for VPN is not something I have tried yet.

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.