Cisco ISE authentication/authorization options with Identity PSK with Meraki Access Points

giovanni.augusto · ‎09-27-2019

Hi Everyone,

I just read that Meraki Access Points are in beta with Identity PSK: https://documentation.meraki.com/MR/Access_Control/IPSK_with_RADIUS_Authentication

I am considering the option to use this feature in the future and use Cisco ISE we have in production as RADIUS server for this.

I would like to run the authentication / authorization as follows:

Authenticate the requested MAC address from Google Identity (SAML)?
retrieve a custom attribute containing the PSK
use the user PSK and use it as a dynamic variable in the authorization policy

I have honestly concerns about using SAML with such authentication process, I believe that in ISE you can use SAML identities only with Guest portal (why?) so I am thinking to have this with Google LDAP : https://support.google.com/a/answer/9048516?hl=en&ref_topic=9048334

So eventually by using a generic Secure LDAP can I run the authentication and retrieve an attribute to use it as a dynamic variable ?

hslai · ‎09-28-2019

To use SAML 2.0, an endpoint uses a Web browser and needs connectivity to the Identity Provider to perform authentications. Thus, it's not an option for 802.1X.

giovanni.augusto · ‎09-29-2019

Hi,

I am talking about Identity PSK not 802.1x

hslai · ‎09-29-2019

For this, PSK is practically the same as DOT1X because the endpoint has no connectivity until authenticated.