cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
Register for the monthly ISE Webinars to learn about ISE configuration and deployment.
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

849
Views
2
Helpful
5
Replies
Beginner

Meraki MR and ISE integration

Hello:

     I have a customer that is using Meraki MR AP and they want to authenticate users on AD, but tying each user to their PC (MAC Address). I know that with ISE we can do it, but I dont know if Meraki MR, using 802.1X PEAP-MSCHAP, sends Calling Station ID attribute or similar to tie the wireless device. Do you know if is it possible or ideas to do it?

Thanks in advanced

Mauricio

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Meraki MR and ISE integration

MAR checks whether the endpoint performing AD computer authentication within the MAR cache timeout. MAR does not tie one particular user to the list of devices.

5 REPLIES 5
Cisco Employee

Re: Meraki MR and ISE integration

Mauricio,

Calling Station ID is a pretty RADIUS attribute and I'm pretty sure the MR access point have this functionality.  What I don't understand is how you are trying to tie the user and machine together.  Are you looking for something link EAP-Chaining?

Regards

-Tim

Highlighted
Beginner

Re: Meraki MR and ISE integration

Thanks Tim. Is more simple my request

My customer is looking for a way to authorize access to an user just if it is using their assigned PC.

I think to put in AD a field attribute as user’s PC MAC address and using 802.1X PEAP-MSCHAP, send from ISE an authentication request with user/password and get from AD this attribute to compare with calling station ID attribute ( if Meraki sends it on Radius request). It will work?

Regards

Mauricio

De: Timothy Abbott <community@cisco.com>

Responder a: "jive-63888371-5kln-2-5dtg@cisco-marketing.hosted.jivesoftware.com" <jive-63888371-5kln-2-5dtg@cisco-marketing.hosted.jivesoftware.com>

Fecha: jueves, 6 de abril de 2017, 11:05

Para: "Mauricio Fuentes (maufuent)" <maufuent@cisco.com>

Asunto: Re: - Meraki MR and ISE integration

Cisco Communities <https://communities.cisco.com/>

Meraki MR and ISE integration

reply from Timothy Abbott<https://communities.cisco.com/people/tiabbott> in Technology > Security Community > Policy and Access > Identity Services Engine (ISE) - View the full discussion<https://communities.cisco.com/message/251188#251188>

Cisco Employee

Re: Meraki MR and ISE integration

Perhaps, you want to consider this Deny and allow workstation logons with Group Policy – 4sysops

Please remember to add ISE PSNs to the list, tho.

Collaborator

Re: Meraki MR and ISE integration

Would simple ISE MAR do the job if this is pure Microsoft environment?

Cisco Employee

Re: Meraki MR and ISE integration

MAR checks whether the endpoint performing AD computer authentication within the MAR cache timeout. MAR does not tie one particular user to the list of devices.