Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2784
Views
3
Helpful
7
Replies

Cisco ISE + Cisco Meraki Vlan override limitations

Go to solution
Niels Marien
Level 1
Level 1

‎12-14-2017 06:21 AM

Dear,

We are installing a new WIFI infrastructure for a test site. In total 80 other sites needs to be done.

The client has chosen Cisco Meraki as their new wireless infrastructure. (MR 42)

There is also an upgraded ISE to version 2.1.6. This server will be used to authenticate all SSID’s.

The Dot1x SSID will be used for a lot of different devices. Laptop, phones, BYOD, Guest (PEAP with guest accounts)

ISE will need to override the correct vlan’s.

Meraki does support vlan override but only with vlan ID. (no vlan name is possible confirmed by local Cisco Meraki person)

The problem is that all the sites are not standardized meaning guest vlan is different for each site.

So per site we will have around 8 rules in ISE multiplied by 80 sites is many... many rules in ISE.

Maybe not a software limitation it’s not scalable and it is easy to make mistakes also will be a lot of extra work.

I tried to create a workaround what is not working. (therefore I am posting this)

Under network devices groups in ISE, I created special network groups called:

GUEST VLAN ID

CORP VLAN ID

BYOD VLAN ID

network devices groups.jpg

Under each network device I placed the correct VLAN ID as the Name.

I created a custom authorization profiles returning the name of the VLAN ID group but is not working.  :S

AGC_VLAN_GUEST.JPG

In the packet captures there is no tunnel- private-group[81] when doing this.

What I’m thinking that ISE returns the full path example: "GUEST VLAN ID#54" and should only (to get it working) only return 54.

I created a similar workaround already with AD attribute and that’s working.

Could this be checked, if this is possible in anyway?

This could change 640 to 8 rules what would be great for me to implement and for the client to manage.

Also 8 rules are easily recreated (still not possible re-import ISE rules) and possible to import and export devices and device groups

Kr

Niels

1 Accepted Solution

Accepted Solutions

Go to solution
Craig Hyps
Level 10
Level 10
In response to Niels Marien

‎12-14-2017 04:34 PM

So the likely culprit is that the value for NDGs is not the "end value" in the string, but the entire path such as "ALL Guest VLAN ID#10", not simply the value "10".  The attribute is not of the valid type and would become null.  

Another way to achieve result with similar logic is to simply match on NDG in Authorization Policy Rule condition such as...

     IF DEVICE:Guest_VLAN_ID      Equals      "All Guest VLAN ID#10"     THEN permissions = VLAN 10

You may still end up with additional AuthZ rules, but you will reduce list to the subset of unique NDGs which map to common VLAN schemes.

Additionally, you can use Network Conditions to match a group of Network Devices.

/Craig

View solution in original post

7 Replies 7

Go to solution
ognyan.totev
Level 5
Level 5

‎12-14-2017 06:29 AM

This is what u need in ise new authorization profile:

In vlan use your ID of VLAN it support names or ID

0 Helpful

Go to solution
Niels Marien
Level 1
Level 1
In response to ognyan.totev

‎12-14-2017 06:37 AM

Hi Ognyan,

I tried to explain above why it's not a workable solution.

Meraki doesn't support names and ID are not the same on each site. what means to many rules...

Kr

Niels

0 Helpful

Go to solution
ognyan.totev
Level 5
Level 5
In response to Niels Marien

‎12-14-2017 08:16 AM

I never worked with meraki ,but how you create vlan there?Show us some switch config:like in cisco :show vlan summary or show vlan data. I dont get how are creted there if no names or tagging.

0 Helpful

Go to solution
Craig Hyps
Level 10
Level 10
In response to Niels Marien

‎12-14-2017 04:34 PM

So the likely culprit is that the value for NDGs is not the "end value" in the string, but the entire path such as "ALL Guest VLAN ID#10", not simply the value "10".  The attribute is not of the valid type and would become null.  

Another way to achieve result with similar logic is to simply match on NDG in Authorization Policy Rule condition such as...

     IF DEVICE:Guest_VLAN_ID      Equals      "All Guest VLAN ID#10"     THEN permissions = VLAN 10

You may still end up with additional AuthZ rules, but you will reduce list to the subset of unique NDGs which map to common VLAN schemes.

Additionally, you can use Network Conditions to match a group of Network Devices.

/Craig

Go to solution
Niels Marien
Level 1
Level 1
In response to Craig Hyps

‎12-21-2017 07:06 AM

Hi Craig,

Thanks for the information.

That confirms why it's not working. For the workaround you are suggesting can be possible but don't think it will be manageable for the client. (meaning that all rules will be mixed together)

What I think that would be better is to have policy set rules based on the location.

device location equals ... =>( then go to Authentication rules and authorization rules)

A bit disappointing that ISE can't work with dynamic attribute / manipulate them. I think it's quit easily done in a "freeradius" server.

Hope that Meraki supports vlan name override soon. (making a wish...)

For the moment I think we will need to stop deploying Meraki.

Kr

Niels

0 Helpful

Go to solution
Craig Hyps
Level 10
Level 10
In response to Niels Marien

‎12-21-2017 09:40 AM

Certainly you can organize based on NDGs and this is common practice.

ISE does work with dynamic attributes today.  The specific issue/limitation you are dealing with is the actual value you are trying to assign dynamically.  Be sure to submit enhancement request to ISE PM (or to Cisco account team to submit to ISE PM) to handle specific scenarios.  There is more than one way this could be achieved, but having details use cases and impact would help with prioritization.

Regards,

Craig

0 Helpful

Go to solution
krishna tej
Cisco Employee
Cisco Employee
In response to Niels Marien

‎12-11-2018 10:20 AM

 

Niels Marien
 
 
 
 Hi Niels, Did you find any workaround for this to reduce the number of policies
 
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents