The below document outlines detailed steps to configure Wired device 802.1x Posture with Cisco ISE. The switch used is Meraki MS Switch. Before proceeding check the meraki MS switch compatibility with Cisco ISE here - https://community.cisco.com/t5/security-knowledge-base/how-to-integrate-meraki-networks-with-ise/ta-p/3618650#toc-hId-1193415977 Ensure the switch has Group Policy ACL, URL Redirect and COA features available. ISE posturing would not work without these features.  I couldn't find a comprehensive document to setup the wired posture, hence I created one as per the setup I have done.   The first configuration is to be done in Meraki MS switch.  Meraki MS Switch Configuration Login to Meraki Dashboard Switching >Configure>policies Enter configuration as below The name of the Access policy should be used in ISE Redirection ACL Enter ISE IP in Radius server field and test the connectivity. Ensure Radius attribute “Filter-Id” is selected as it's the key to this setup. The Airespace-ACL-Name from ISE passed on to MS via this attribute. Note: as of now Dec 2023, Meraki MS switches does not have DACL supported. Go to Switching > Monitor > Switch ports Select the Access Policy created above You can as many ports required for Wired posture Cisco ISE Configuration ISE > Work Centres > Posture > Network Devices Add the Meraki Switch IP and configure Radius authentication settings ISE > Work Centres > Posture >Policy Elements>Allowed protocols Add new  Select required EAP protocols only ( I had selected all for time being), rest all were default settings. Read the section “Choosing an EAP Method” from here - https://www.intel.com/content/www/us/en/support/articles/000006999/wireless/legacy-intel-wireless-products.html#:~:text=Unlike%20EAP%2DTLS%2C%20EAP%2D,certificate%20to%20achieve%20mutual%20authentication. ISE > Work Centres > Posture >Policy Elements>Downloadable ACL Create Three ACL for unknown, non complaint and complaint status Unknown_DACL permit udp any eq bootpc any eq bootps permit udp any any eq 53 permit ip any host <ISE IP> permit tcp any host <ISE IP> deny ip any any deny tcp any any Non Complaint ACL permit udp any eq bootpc any eq bootps permit udp any any eq 53 permit ip any host <ISE IP> deny ip any <LAN NW> 0.0.255.255 Third ACL can be default permit all IPV4 traffic ACL ISE > Work Centres > Posture >Policy Elements>Authorization Profiles Create three auth profiles for unknown, non complaint and complaint status Profile_Unknown Select DACL Name as Unknown_DACL Select Web Redirection as below; The key to this setup is the ACL name in the above screenshot. The ACL name should be exactly same as the one created in Meraki MS switch access policies. Refer Step 3 in this document For the value choose a ISE portal. You can create a new portal from ISE > Work Centres > Posture >Client provisioning>Client provisioning portal Final result should be as below; Non Complaint profile Compliant Profile Navigate to Work Centers > Posture > Client Provisioning Click Resources Click Add > Agent resources from local disk Select Category > Cisco Provided packages Click Browse Locate the AnyConnect or Secure Client head-end .pkg package file and upload (**you need to download this from software.cisco.com) Click Submit, click Confirm when prompted Click Add > Agent resources from Cisco Site Locate the AnyConnect Compliance Module windows and save Click Submit, click Confirm when prompted ISE > Work Centres > Posture >Client Provisioning>Resources Create new Agent Posture Profile Give Discovery host to ISE IP address Server name rules to ISE FQDN address Call Home List to ISE IP address Leave everything else default and save ISE > Work Centres > Posture >Client Provisioning>Resources Create new Agent configuration Select agent package and compliance module from drop down Select ISE posture under “Cisco Secure Client Module Selection” In the Profile Selection select “ISE Posture, Network Access Manager, Network Visibility” from drop down ISE > Work Centres > Posture >Client Provisioning>Client Provisioning Policy Create new policy and set result to anyconnect agent profile you created above Select required operating system or required conditions Ensure to enable the policy, enabled policy will have a tick mark on the left side. Now Open Policy sets and create a new policy set Selected Allowed protocols as the one created in above step Expand the policy set Create new Authentication policy In the conditions, select Wired_802.1x and Wired_MAB (with or condition) Select your required use rid store, internal or AD Open authorization policy and create three new policies as below; Save the policy ISE > Work Centres > Posture >Policy Elements>Conditions Create your required condition. I have created a simple file condition; ISE > Work Centres > Posture >Policy Elements>Requirements Create a requirement referring to the condition you created above. Give remediation action as message text. Select your required operating system, Agent type, compliance module version etc ISE > Work Centres > Posture >Posture Policy Create a new policy referring to the requirement above. Select your required operating system, Agent type etc Ensure to enable the policy, enabled policy will have a tick mark on the left side. Endpoint Configuration For 802.1x authentication to work client system network adapter should be configured as below. You can choose which EAP authentication to use. For this setup I am using basic EAP authentication without certificates. EAP-TLS: relies on client-side and server-side certificates to perform mutual authentication. This is considered one of the strongest EAP types however, it requires each and every client to have a certificate pre-installed. EAP-PEAP: requires only server-side certificates for the client to authenticate the authentication server. PEAP is known as a tunneled EAP type because it first establishes an outer tunnel using TLS and then sends the credentials via an inner tunnel. The inner tunnel can be virtually any EAP type but the widely used inner method is MSCHAPV2. EAP-FAST: is very similar to PEAP, it first establishes an outer TLS tunnel. Inside this encrypted tunnel, a secondary inner EAP method (such as MSCHAPv2) is used to authenticate the user.   Testing the Setup Connect a laptop to the switch port and access any website. You should be redirected to the ISE portal as in below screenshots. You can download the IE secure client from the redirected portal and install in the laptop. Once installed, the client checks for posture compliance and permits you to the network.   ... View more

Our current license SKU is LIC-MX100-SEC-3YR. We had purchased Advanced security license. Can someone confirm whether it covers Hardware RMA replacement and 24*7 technical support. ... View more

Can I import users into Meraki MX. I have around 200 client VPN users. Adding one-one is not easy. Any possibility to import those users. ... View more

Hi Guys, I understand, MX route priority is as below. Is there any way to change this priority? Directly Connected Client VPN Static Routes AutoVPN Routes Non-Meraki VPN Peers NAT* I was checking on bringing AutoVPN routes above static route. ... View more