Meraki - ISE Secure Access - BYOD Single SSID

AJDINI
Here to help

Meraki - ISE Secure Access - BYOD Single SSID

 

Meraki - ISE Secure Access - BYOD Single SSID

 

Regarding of this issue I found a similar configuration but between ISE and Cisco Wireless Lan Controllers. Please, I need your help to find if it could be posible the integration Meraki-ISE about the BYOD in Single SSID

 

I look forward to yours advices, of course, please, don't hesitate to contact me.

 

Thanks in advance for your help.

 

Best Regards
Alejandro

6 Replies 6
KarstenI
Kind of a big deal
Kind of a big deal

I never used it with single SSID but I do not see any reason why it should not work. In the ISE you need to distinguish the enrolment with the EAP-type. While the access is PEAP, the user is no yet enrolled. When EAP-TLS is used, the enrolment is finished.

AJDINI
Here to help


First of all, thanks a lot for your answer and help.

 

Please, I need to know how integrate Meraki in ISE in this case.

 

I found some links about "ISE Secure Access Wizard - BYOD Single SSID" and "BYOD with Device Registration and Native Supplicant Provisioning" but these links talk about the integration regarding to Secure Access - BYOD Single SSID, between ISE and Cisco Wireless Lan Controllers. Please, I need your help if you know if there are any links that to show how is the integration between Meraki and ISE regarding to Secure Access - BYOD Single SSID.

 

Again, Thank you very much for your help.

 

I look forward to your answer, of course, don't hesitate to contact me.

 

Best Regards
Alejandro

 

peto
Getting noticed

Hi, I use it with MR33 and it works with some issues connected to endpoints limitations - eg Big Sur.

The configuration is like this:

Association requirements -> Enterprise with (my radius server)
Splash page - Cisco Identity Services Engine (ISE) Authentication
the setup your radius servers and you are done from the Meraki side

PhilipDAth
Kind of a big deal
Kind of a big deal
GIdenJoe
Kind of a big deal
Kind of a big deal

I believe the difficulty here is how to make sure you get a redirect-url and acl working on the Meraki AP's when your session comes int with PEAP-MSCHAP and then after the CoA get the allow any acl afterwards without redirect.

The document @PhilipDAth describes about the Client posture is a good starting point but it isn't exactly the same and does leave out some necessary details.

So the start configuration should be:
Layer 2 auth
WPA-2 enterprise with my radius server (add ISE info)
CoA enabled
Radius attribute specifying group policy: airespace-acl-name or filter-ID

Layer 3 auth (splash page)
- Cisco ISE captive portal
- Add ISE IP to walled garden

So the lowest authz rule in ISE should then have the redirect url attribute set, apparently the ACL does not matter here because the walled garden takes care of that?
Then when you add the full auth above this one with just an access accept and perhaps VLAN number or other group policy allowing all relevant traffic it should work.  Group-policy in Meraki dashboard is matched by airespace-acl-name or filter-ID in ISE depending on how you configured the SSID.

This info is based on some logic, not experience or peer information 🙂


EDIT: Alex Burger to the rescue.
On his website there are two vid's that explain it.
Don't go directly to the single SSID onboarding though because alot of the configuration leans on the previous video.

First watch this one: https://wirelesslywired.com/2017/05/19/byod-with-device-registration-and-native-supplicant-provision...

Then watch this one: https://wirelesslywired.com/2017/05/30/single-ssid-byod-onboarding/

AJDINI
Here to help

Hello Everyone:

 

My Client will be take a time to decide if They use the Splash Page in ISE.

 

I keep you posted when I would have news about this issue.

 

Thank you very much for your help.

 

Best Regards
Alejandro Dini

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels