Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
590
Views
5
Helpful
3
Replies

Cisco ISE, Meraki MX routers and changing vlans.

Go to solution
crizco
Level 1
Level 1

‎11-03-2022 01:47 AM

Hi Everyone, i need your help regards ISE, Meraki and vlan switching.

scenario for wired devices:

  1. Device is plugged into an ethernet port
  2. Meraki MX 65 hands off to ISE
  3. ISE handles device posturing 
  4. ISE responds to the MX and informs what vlan the device should be put in
  5. MX changes the vlan of the port

we are having issues with number 5 above. While the device is correctly identified  in ise and ise tells the MX to change vlan on that particular port, the MX does not.

Any of you knowledgeable people know what we are missing? I can post the configs later once i am in work.

 

thanks in advance.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ahollifield
VIP
VIP

‎11-03-2022 06:30 AM - edited ‎11-03-2022 06:31 AM

Why change VLANs at all?  Also, I believe the MX also does not support CoA so this is most likely your issue.  ISE will issue a CoA for the endpoint when it completes posture to trigger a re-auth. Why are you connecting and posturing clients on an MX?  This should really be done from an MS.  

https://www.youtube.com/watch?v=w3bLEI6dUIo&t=5s

https://www.cisco.com/c/en/us/td/docs/security/ise/nad_capabilities/nad_capabilities_with_ise.html#Cisco_Reference.dita_8ecab1fc-4fa8-42b7-acfd-bd4011d25551

 

View solution in original post

3 Replies 3

Go to solution
ahollifield
VIP
VIP

‎11-03-2022 06:30 AM - edited ‎11-03-2022 06:31 AM

Why change VLANs at all?  Also, I believe the MX also does not support CoA so this is most likely your issue.  ISE will issue a CoA for the endpoint when it completes posture to trigger a re-auth. Why are you connecting and posturing clients on an MX?  This should really be done from an MS.  

https://www.youtube.com/watch?v=w3bLEI6dUIo&t=5s

https://www.cisco.com/c/en/us/td/docs/security/ise/nad_capabilities/nad_capabilities_with_ise.html#Cisco_Reference.dita_8ecab1fc-4fa8-42b7-acfd-bd4011d25551

 

Go to solution
crizco
Level 1
Level 1
In response to ahollifield

‎11-03-2022 08:19 AM

Thanks for the reply, and the links. We have 600+ remote offices where an MX would fit as an integrated services device. Not being able to change vlans depending on client type is a bit of a show stopper in this scenario.

0 Helpful

Go to solution
ahollifield
VIP
VIP
In response to crizco

‎11-03-2022 09:18 AM

Why not an MS?  Do you not have PoE needs across these 600+ offices? 

https://community.cisco.com/t5/security-knowledge-base/how-to-integrate-meraki-networks-with-ise/ta-p/3618650

0 Helpful
Customers Also Viewed These Support Documents