topic Re: Meraki MR and ISE integration in Network Access Control

Meraki MR and ISE integration

maufuent — Thu, 06 Apr 2017 12:25:43 GMT

Hello:

I have a customer that is using Meraki MR AP and they want to authenticate users on AD, but tying each user to their PC (MAC Address). I know that with ISE we can do it, but I dont know if Meraki MR, using 802.1X PEAP-MSCHAP, sends Calling Station ID attribute or similar to tie the wireless device. Do you know if is it possible or ideas to do it?

Thanks in advanced

Mauricio

Re: Meraki MR and ISE integration

Timothy Abbott — Thu, 06 Apr 2017 14:04:56 GMT

Mauricio,

Calling Station ID is a pretty RADIUS attribute and I'm pretty sure the MR access point have this functionality. What I don't understand is how you are trying to tie the user and machine together. Are you looking for something link EAP-Chaining?

Regards

-Tim

Re: Meraki MR and ISE integration

maufuent — Thu, 06 Apr 2017 20:31:27 GMT

Thanks Tim. Is more simple my request

My customer is looking for a way to authorize access to an user just if it is using their assigned PC.

I think to put in AD a field attribute as user’s PC MAC address and using 802.1X PEAP-MSCHAP, send from ISE an authentication request with user/password and get from AD this attribute to compare with calling station ID attribute ( if Meraki sends it on Radius request). It will work?

Regards

Mauricio

De: Timothy Abbott <community@cisco.com>

Responder a: "jive-63888371-5kln-2-5dtg@cisco-marketing.hosted.jivesoftware.com" <jive-63888371-5kln-2-5dtg@cisco-marketing.hosted.jivesoftware.com>

Fecha: jueves, 6 de abril de 2017, 11:05

Para: "Mauricio Fuentes (maufuent)" <maufuent@cisco.com>

Asunto: Re: - Meraki MR and ISE integration

Cisco Communities <https://communities.cisco.com/>

Meraki MR and ISE integration

reply from Timothy Abbott<https://communities.cisco.com/people/tiabbott> in Technology > Security Community > Policy and Access > Identity Services Engine (ISE) - View the full discussion<https://communities.cisco.com/message/251188#251188>

Re: Meraki MR and ISE integration

hslai — Thu, 06 Apr 2017 23:25:59 GMT

Perhaps, you want to consider this Deny and allow workstation logons with Group Policy – 4sysops

Please remember to add ISE PSNs to the list, tho.

Re: Meraki MR and ISE integration

Ping Zhou — Fri, 07 Apr 2017 00:11:26 GMT

Would simple ISE MAR do the job if this is pure Microsoft environment?

Re: Meraki MR and ISE integration

hslai — Sat, 08 Apr 2017 05:39:48 GMT

MAR checks whether the endpoint performing AD computer authentication within the MAR cache timeout. MAR does not tie one particular user to the list of devices.