Adding Meraki AP as a "network device" on a Cisco ISE

Solved
Raphael_M
Here to help

Adding Meraki AP as a "network device" on a Cisco ISE

Hello everybody,

 

I tried to search if this had already been discussed somewhere but I can't find anything.

 

In our environment we use a Cisco ISE used to authenticate our WiFi clients. As you may know, before the authentification takes place, the device sending the RADIUS request has to be added as a "network device" on the ISE with a shared secret to make sure it is allowed to perform the RADIUS request.

 

In a traditional Cisco WiFi deplyoment with controllers all we had to do was add all our controllers to this list, which was manageable (<10). Now, is there any best practice on how to do this when we have potentially thousands of Meraki APs sending RADIUS requests to our ISE (since there is no controller anymore in the Meraki world) ?

 

  • Is there any integration between the ISE and the Meraki dashboard to automatically trust and configure the Meraki APs on the ISE once they are added to the dashboard ?
  • Should we configure a single network device (for instance with 10.0.0.0/8 range) that will cover all APs, but using the same shared secret ?

 

Capture.JPG

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Any help would be appreciated !

Thanks.

1 Accepted Solution
NolanHerring
Kind of a big deal

I just do the entire subnet the access points are placed on to avoid that nightmare. Plus I also don't use static IP addresses for the access points, another nightmare to have to maintain.

So I would recommend you use a dedicated management native-VLAN for access points, let them use DHCP because it doesn't actually matter so long as they can connect to the cloud, and in ISE just put in a /24 as the range and call it a day. Works for me 😃
Nolan Herring | nolanwifi.com
TwitterLinkedIn

View solution in original post

6 Replies 6
BrechtSchamp
Kind of a big deal
Raphael_M
Here to help

This document is quite detailed, I had never seen it before.

That being said it goes a bit quickly on how to configure thousands and thousands of access points :

 

"Repeat steps 1 through 7 for additional Meraki access points that will be used in the ISE deployment"

 

I really want to avoid having to manually configure a network device on the ISE everytime we deploy a new AP.

NolanHerring
Kind of a big deal

I just do the entire subnet the access points are placed on to avoid that nightmare. Plus I also don't use static IP addresses for the access points, another nightmare to have to maintain.

So I would recommend you use a dedicated management native-VLAN for access points, let them use DHCP because it doesn't actually matter so long as they can connect to the cloud, and in ISE just put in a /24 as the range and call it a day. Works for me 😃
Nolan Herring | nolanwifi.com
TwitterLinkedIn
Raphael_M
Here to help

I guess this is how we are going to configure it in the end if there is no "cleaner" way !
PhilipDAth
Kind of a big deal
Kind of a big deal

Just add a subnet in ISE, such as 10.x.0.0/16 - rather than individual AP IP addresses.  You probably only need to define a single subnet to cover every access point.

 

BrechtSchamp
Kind of a big deal

One other way you could perhaps tackle this is to combine ISE's bulk import with Meraki's API.

 

The API call you could use is this one:

List the status of every Meraki device in the organization
 
HTTP REQUEST
GET /organizations/[organizationId]/deviceStatuses

PARAMETERS

None

SAMPLE REQUEST

curl -L -H 'X-Cisco-Meraki-API-Key: <key>' -X GET -H 'Content-Type: application/json' 'https://api.meraki.com/api/v0/organizations/[organizationId]/deviceStatuses'

SAMPLE RESPONSE

Successful HTTP Status: 200
[
  {
    "name":"My AP",
    "serial":"Q2XX-XXXX-XXXX",
    "mac":"00:11:22:33:44:55:66",
    "status":"online",
    "lanIp:"1.2.3.4",
    "publicIp":"4.3.2.1",
    "networkId":"N_1234"
  }
]
 
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels