Meraki

Community

Meraki AP(NAD) group policy working not properly

Solved
MakaraMEAS
Getting noticed
‎Mar 25 2022 6:40 PM
‎Mar 25 2022 6:40 PM

Meraki AP(NAD) group policy working not properly

Dear community,

I just tested group policy which integrate with Cisco ISE, I notice that sometime it match not properly. Sometime it match the group policy that wish to apply, sometime it match default or not automatic move from one group policy group base on authorization requirement. I have opened case with TAC as well but they said configuration all fine.
If you have the same experience, please kindly share the solutions or any resource configuration both Meraki MR and Cisco ISE.

Thanks,
Makara MEAS.

M.MAKARA
Labels:
1 Accepted Solution
In response to MakaraMEAS
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 27 2022 12:27 PM
‎Mar 27 2022 12:27 PM

Is this for a 802.1x or something else, like a splash page?

 

802.1x does not have access to anything prior to authentication, in any environment, Meraki or otherwise.  You have to authenticate just to get an IP address.

 

If this is some kind of splash page setup, you would have default global rules allowing access to AD/DNS, and then have the user authenticate, and then push a group policy with the new group policy to use with the new access rules.

 

It's not clear to me what method you are using, but perhaps these Meraki guides might be of help (the first is using MAC bypass, the second is using WPA2-Enterprise mode):

https://documentation.meraki.com/MR/Encryption_and_Authentication/CWA_-_Central_Web_Authentication_w... 

https://documentation.meraki.com/MR/Encryption_and_Authentication/Device_Posturing_using_Cisco_ISE 

View solution in original post

10 Replies 10
SopheakMang
Building a reputation
‎Mar 25 2022 7:06 PM
‎Mar 25 2022 7:06 PM

cool nas

In response to SopheakMang
MakaraMEAS
Getting noticed
‎Mar 25 2022 7:06 PM
‎Mar 25 2022 7:06 PM

How?

M.MAKARA
In response to MakaraMEAS
SopheakMang
Building a reputation
‎Mar 25 2022 7:07 PM
‎Mar 25 2022 7:07 PM

Yerng chea pi na ke ?

alemabrahao
Kind of a big deal
Kind of a big deal
‎Mar 25 2022 7:13 PM
‎Mar 25 2022 7:13 PM

@MakaraMEAS  the ACL on Cisco ISE and Group Policy on Meraki Dashboard has to have the same name.

 

https://community.cisco.com/t5/security-documents/how-to-integrate-meraki-networks-with-ise/ta-p/361....

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
MakaraMEAS
Getting noticed
‎Mar 25 2022 7:37 PM
‎Mar 25 2022 7:37 PM

I got you, it require the same name. But in testing environment it is not smooth to rollout for production.
From your experience it is working fine?

M.MAKARA
0 Kudos
In response to MakaraMEAS
alemabrahao
Kind of a big deal
Kind of a big deal
‎Mar 26 2022 5:22 AM
‎Mar 26 2022 5:22 AM

Yep, It has been working fine. 🙂

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
MakaraMEAS
Getting noticed
‎Mar 27 2022 6:21 PM
‎Mar 27 2022 6:21 PM

Okay cool, maybe my configuration issue with MR.

M.MAKARA
0 Kudos
In response to alemabrahao
MakaraMEAS
Getting noticed
‎Mar 25 2022 7:40 PM
‎Mar 25 2022 7:40 PM

We design (802.1x) group policy for authentication and authorization like below:
authentication: group policy permit only access to AD/DNS only

after authentication success:
authorization: group policy permit specific destination/service.

You know when it move from authentication to full authorization sometime not smooth.

M.MAKARA
0 Kudos
In response to MakaraMEAS
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 27 2022 12:27 PM
‎Mar 27 2022 12:27 PM

Is this for a 802.1x or something else, like a splash page?

 

802.1x does not have access to anything prior to authentication, in any environment, Meraki or otherwise.  You have to authenticate just to get an IP address.

 

If this is some kind of splash page setup, you would have default global rules allowing access to AD/DNS, and then have the user authenticate, and then push a group policy with the new group policy to use with the new access rules.

 

It's not clear to me what method you are using, but perhaps these Meraki guides might be of help (the first is using MAC bypass, the second is using WPA2-Enterprise mode):

https://documentation.meraki.com/MR/Encryption_and_Authentication/CWA_-_Central_Web_Authentication_w... 

https://documentation.meraki.com/MR/Encryption_and_Authentication/Device_Posturing_using_Cisco_ISE 

In response to PhilipDAth
MakaraMEAS
Getting noticed
‎Mar 27 2022 7:53 PM
‎Mar 27 2022 7:53 PM

Thank you, your link is useful for me.
I just wonder why it sometime not switch from one rule to one rule not properly. sometime it match to general group policy, which is not the requirement.

M.MAKARA
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.