https://community.cisco.com/t5/network-access-control/ise-with-meraki-using-wireless-802-1x-radius-service-type-framed/m-p/3184564#M555605 <P>The firmware of the APs in the Meraki Dashboard claims to be "Up to date".</P><P>&nbsp;</P><P>I'm using ISE to authenticate Wireless 802.1x corporate users against the AD using PEAP-MSCHAPv2. Using the default Wireless 802.1x compund condition (which uses Radius:Service-Type = Framed) simply does not work. The rule is skipped and the request ends up being catched by the default authentication rule.</P><P>&nbsp;</P><P>I created a new condition with only Radius:NAS-Port-Type - Wireless - IEEE 802.11 and now that rule catches the request.</P><P>&nbsp;</P><P>However, the same thing happens with the Authorization rule. Meraki seems to not understand Radius:Service-Type and the rule that uses it gets skipped. If I get rid of that attribute and try to match on an AD group, it also won't match.</P><P>&nbsp;</P><P>Is there a way to create different authroization rules on ISE based on different AD groups if my APs are Meraki?</P><P>&nbsp;</P><P>Thanks!</P><P>&nbsp;</P><P>Alfonso</P> Fri, 21 Feb 2020 18:34:12 GMT Alfonso Lopez 2020-02-21T18:34:12Z https://community.cisco.com/t5/network-access-control/ise-with-meraki-using-wireless-802-1x-radius-service-type-framed/m-p/3184564#M555605 <P>The firmware of the APs in the Meraki Dashboard claims to be "Up to date".</P><P>&nbsp;</P><P>I'm using ISE to authenticate Wireless 802.1x corporate users against the AD using PEAP-MSCHAPv2. Using the default Wireless 802.1x compund condition (which uses Radius:Service-Type = Framed) simply does not work. The rule is skipped and the request ends up being catched by the default authentication rule.</P><P>&nbsp;</P><P>I created a new condition with only Radius:NAS-Port-Type - Wireless - IEEE 802.11 and now that rule catches the request.</P><P>&nbsp;</P><P>However, the same thing happens with the Authorization rule. Meraki seems to not understand Radius:Service-Type and the rule that uses it gets skipped. If I get rid of that attribute and try to match on an AD group, it also won't match.</P><P>&nbsp;</P><P>Is there a way to create different authroization rules on ISE based on different AD groups if my APs are Meraki?</P><P>&nbsp;</P><P>Thanks!</P><P>&nbsp;</P><P>Alfonso</P> Fri, 21 Feb 2020 18:34:12 GMT https://community.cisco.com/t5/network-access-control/ise-with-meraki-using-wireless-802-1x-radius-service-type-framed/m-p/3184564#M555605 Alfonso Lopez 2020-02-21T18:34:12Z https://community.cisco.com/t5/network-access-control/ise-with-meraki-using-wireless-802-1x-radius-service-type-framed/m-p/3184937#M555606 Hi <BR /><BR />I didn't do dot1x implementation with Meraki devices. <BR />However i can help you on ise. <BR />First of all, can you take a tcpdump capture on ise while authenticating through a Meraki devices? <BR /><BR />Can you share your ise configuration as will to take a look?<BR /> Sat, 16 Sep 2017 03:30:55 GMT https://community.cisco.com/t5/network-access-control/ise-with-meraki-using-wireless-802-1x-radius-service-type-framed/m-p/3184937#M555606 Francesco Molino 2017-09-16T03:30:55Z https://community.cisco.com/t5/network-access-control/ise-with-meraki-using-wireless-802-1x-radius-service-type-framed/m-p/3188850#M555607 <P>Well, I solved it by simply installing patch 1 on our ISE 2.2</P><P>&nbsp;</P><P>It's now matching a rule that uses Service-Type = Framed.</P><P>&nbsp;</P><P>The authorization condition has 4 attributes:</P><P>- Nas Port Type = Wireless IEEE 802.11</P><P>- Service Type = Framed</P><P>- External Group = Domain Users</P><P>- Networkaccess = Userauthenticated</P><P>&nbsp;</P><P>So, I hope this helps someone else facing the same issue. The solution was simply to install patch 1...</P> Mon, 25 Sep 2017 08:28:08 GMT https://community.cisco.com/t5/network-access-control/ise-with-meraki-using-wireless-802-1x-radius-service-type-framed/m-p/3188850#M555607 Alfonso Lopez 2017-09-25T08:28:08Z