Group-policy applied to client via Cisco ISE

peto
Getting noticed

Group-policy applied to client via Cisco ISE

Hi,

I have the following problem. I use Cisco ISE to assign group-policy to clients based on the authorization result. I can see successfully applied policy in the Client page via 802.1x. The thing is that the configured filtering (content or URL) doesn't work when the group-policy is applied via dot1x. L3 firewall works, there is no issue. When I apply group-policy manually to the client, everything works as expected. The support told me that it is expected behaviour: the policy does apply to layer 3 for the MX and the MR but not per SSID.

Suggestion is to apply policy manually or via AD.

But I would like to have it applied via dot1x. Does anybody have experience with this?

 

thank you

2 Replies 2
BrechtSchamp
Kind of a big deal

Applying group policy by RADIUS attribute is only for the MR as shown in the table here:

2019-05-02 11_25_32-Window.png

https://documentation.meraki.com/MX/Group_Policies_and_Blacklisting/Creating_and_Applying_Group_Poli...

 

And for the MR content filtering is not supported as shown in the table here:

2019-05-02 11_25_20-Window.png

https://documentation.meraki.com/MX/Group_Policies_and_Blacklisting/Creating_and_Applying_Group_Poli...

 

So that's why.

 

To solve your issue I'd try going at it in a different way. What about assigning a dynamic VLAN to clients and applying group policies on a VLAN basis?

Hi,

the client I test from is connected to the wifi, so dot1x should be applied as per the documentation. This works, group-policy is applied. The second table says that content filtering is not supported on the MR - correct. I expect that the content filtering in my situation is done on the MX. And if the content filtering is done on the MR then my question is why the content filtering works when I assign the group-policy manually to the client.

thank you

Get notified when there are additional replies to this discussion.