04-07-2016 10:45 AM - edited 03-10-2019 11:39 PM
I am very new to Cisco ISE and Meraki. I am trying to get Radius setup for wireless authentication. When I do a test from the Meraki to ISE it passes.
When I try to connect from my laptop I watch the Radius logs and it passes; however it is not connecting me to the right Policy set. I keep hitting the default policy. I do have my Meraki policy above the default policy in the policy set section. I attached what my Policy set looks like.
Solved! Go to Solution.
04-07-2016 04:13 PM
The all devices doesn't really matter. Here is what I see when I create a device group (where you would add the AP to that group) and then create the condition:
And here is where I create the policy set condition and you should be able to select the Meraki APs:
That will give you the condition similar to what I posted above. That may be why you aren't hitting that set because it's not matching the condition for that set.
04-07-2016 02:27 PM
What does the authorization result MerakiWirelessEmployee look like?
04-07-2016 02:49 PM
04-07-2016 02:55 PM
Check that you are using the exact same spelling for the Group Policy in the Airespace ACL field (case sensitive). You can also check your settings against the following documentation:
http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/HowTo-86-Integrating_Meraki_Networks.pdf
04-07-2016 03:10 PM
I do have it spelled the same. I do know that I am having a certificate issue. I havent uploaded a new one into ISE yet. I told my Windows 10 client not to verify the certificate. I will be uploading a third party cert tomorrow. If the cert is incorrect would this be the behavior i should expect to see? Or should it still hit the right auth rule?
Thanks for the quick responses.
04-07-2016 03:25 PM
No because you are not using certificates for any of the authentications.
On the failed authentication entry in the RADIUS live log, click the details button. That will tell you if you should even be hitting the WirelessDot1x authorization rule. Verify that the client actually tried MS-CHAPv2 and the NAS port type equals Wireless IEEE-802.11.
04-07-2016 03:33 PM
I just realized something. You may be running into an issue that I've ran into in the past using EQUALS for the external domain group membership. Try changing that to CONTAINS.
04-07-2016 03:37 PM
04-07-2016 03:45 PM
Are all the Meraki AP's configured in ISE as a network access device and added to a device group? The policy set condition should look more like this:
DEVICE:Device Type EQUALS Device Type#All Devices#Meraki APs
You should be able to select Meraki APs after the EQUALS operator because that dropdown populates with devices when you choose DEVICE:Device Type as the attribute.
04-07-2016 04:04 PM
04-07-2016 04:13 PM
The all devices doesn't really matter. Here is what I see when I create a device group (where you would add the AP to that group) and then create the condition:
And here is where I create the policy set condition and you should be able to select the Meraki APs:
That will give you the condition similar to what I posted above. That may be why you aren't hitting that set because it's not matching the condition for that set.
04-07-2016 04:20 PM
Okay, I updated my group to look just like yours. I will check first thing in the morning. I really appreciate all of your help on this.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide