cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6466
Views
5
Helpful
5
Replies

802.1x and Dynamic VLAN deployment for Cisco ISE and Meraki Access Points

SaintEvn
Level 1
Level 1

Hi all,

We’ve deployed Cisco ISE in our DC and we planned to control 802.1x wireless access from branch sites. We’ve already configured VPN tunnel between DC and Branches.  We would like to configure Dynamic VLAN assignment to the client PCs on branch sites, i.e., we’ve only one SSID and users from different user groups will be assigned to different VLAN when connected to Wi-Fi.

As we are using Meraki Wireless APs on branch sites, it is possible to use dynamic VLAN assignment feature with Cisco ISE?

As for now, we already configure dynamic VLAN feature in our environment, but some endpoints did not get IP assigned although it passed authentication and authorization.

Thank You!

1 Accepted Solution
5 Replies 5

balaji.bandi
Hall of Fame
Hall of Fame

I do not believe this solution works, since you have only 1 SSID, that is associated with VLAN aleady.

 

But with ISE profiling, based on the user Group you can setup the Security profile, what user / end device can access the resources.

 

As for now, we already configure dynamic VLAN feature in our environment, but some endpoints did not get IP assigned although it passed authentication and authorization.

is this wired or wireless ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

SaintEvn
Level 1
Level 1

Dynamic VLAN feature is supported with Cisco WLC right? But with Cisco Meraki , it cannot be work ?

But right now only some endpoints can't get IP address while most endpoints are working Ok. And there is no VLAN tagging enable for SSID at this moment.

We planned to enable 802.1x only for Wireless network. 

If this is not a proper solution , we'll deploy with different SSID then.

Have you tried Group Policy with Filter ID or Airespace ACL?

Depends on your AuthZ conditions, you probably can assign different Group Policies to different AuthZ Profiles, each has different Group Policy associated with different VLAN ID. 

Here are the docs for your reference. https://documentation.meraki.com/MR/Group_Policies_and_Block_Lists/Using_RADIUS_Attributes_to_Apply_Group_Policies 

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Creating_and_Applying_Group_Policies 

Basically you create the several Group Policies with different VLANs on Meraki Dashboard, then creat corresponding AuthZ Profiles on ISE which call the names of the Group Policies.

 

HTH

thomas
Cisco Employee
Cisco Employee

Typically your WLAN SSID is associated with a specific VLAN, regardless of the wireless product.

 

Cisco AireOS WLC with a specific Interface Group mapping to a VLAN:

image.png  image.png

 

And in Meraki APs for a given SSID:

image.png