Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4232
Views
5
Helpful
5
Replies

Cisco Meraki MAB - Radius "Call-Check" Field not being sent

Go to solution
CB90021204
Level 1
Level 1

‎02-07-2019 09:55 PM

Hello, not sure if this is the right place to ask this question. I'm trying to implement MAB authentication using Meraki Wireless and Cisco ISE. The Meraki AP isn't sending the "Call-check" field in the radius attributes therefore can't match MAB auth in my policy set.

 

I've logged a Meraki TAC case about this also. Has anyone come across this before. Did you need to implement a workaround, if so how did you go about it?

 

Thanks,

 

Below are the radius attributes being sent by the Meraki AP to ISE:

 

RADIUS Protocol
    Code: Access-Request (1)
    Packet identifier: 0x0 (0)
    Length: 250
    Authenticator: xxxxxxxxxxxxxxxxxxxxxxx
    Attribute Value Pairs
        AVP: l=14 t=User-Name(1): xxxxxxxxxxxxxx
        AVP: l=18 t=User-Password(2): Encrypted
        AVP: l=6 t=NAS-IP-Address(4): xx.xx.xx.xx
        AVP: l=27 t=Called-Station-Id(30): MAC Address:SSID
        AVP: l=6 t=NAS-Port-Type(61): Wireless-802.11(19)
        AVP: l=34 t=Vendor-Specific(26) v=Meraki Networks, Inc.(29671)
        AVP: l=40 t=Vendor-Specific(26) v=Meraki Networks, Inc.(29671)
        AVP: l=24 t=Vendor-Specific(26) v=Meraki Networks, Inc.(29671)
        AVP: l=19 t=Calling-Station-Id(31): MAC Address
        AVP: l=24 t=Connect-Info(77): CONNECT 11Mbps 802.11b
        AVP: l=18 t=Message-Authenticator(80): xxxxxxxxxxxxxxxxxxxxxxx

0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
pan
Cisco Employee
Cisco Employee

‎02-07-2019 11:14 PM - edited ‎02-07-2019 11:21 PM

May be following can help.

 

Enabling ISE splash setting on meraki

 

 https://community.cisco.com/t5/security-documents/how-to-integrate-meraki-networks-with-ise/ta-p/3618650

 

splash meraki2.png

View solution in original post

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to pan

‎02-08-2019 10:34 AM

ISE and meraki integration is documented here
http://cs.co/ise-guest

View solution in original post

Go to solution
CB90021204
Level 1
Level 1
In response to Jason Kunst

‎02-11-2019 02:24 AM

Thanks for your help everyone. @Jason Kunst that link was perfect. 

 

Just to close this off, Meraki does send the “Service Type” radius field. It started sending after I enabled “Cisco Identity Services Engine (ISE) Authentication for Splash Page” in the SSID settings.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
CB90021204
Level 1
Level 1

‎02-07-2019 10:40 PM

Just got confirmation that RADIUS "Service-Type (6)" Attribute in Access-Request packets isn’t supported by Meraki. Will need to come up with a work around. 

0 Helpful

Go to solution
pan
Cisco Employee
Cisco Employee

‎02-07-2019 11:14 PM - edited ‎02-07-2019 11:21 PM

May be following can help.

 

Enabling ISE splash setting on meraki

 

 https://community.cisco.com/t5/security-documents/how-to-integrate-meraki-networks-with-ise/ta-p/3618650

 

splash meraki2.png

0 Helpful

Go to solution
james.brunner
Level 1
Level 1
In response to pan

‎02-08-2019 12:32 AM

One other bit of useless information, we have multiple PSNs in pairs in each global region. Our Meraki devices use the regional pair nearest to them as defined in a template per region for AAA. But any of the PSNs can issue a CoA to the Meraki devices. On our Cisco switches we have a dynamic auth block that lists all the global PSNs but the Meraki portal does not have an option for this. It will only accept CoAs from the PSNs defined for AAA in the template so there's a small chance you will get an alert in ISE that the CoA failed - unless you list all the PSNs in the portal for AAA - of which any could be used although they are geographically/latency far away. I have "wished for" a change to the Meraki portal to enable a CoA block where you can define multiple AAA servers just like we can for the Cisco switches.

JB.

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to pan

‎02-08-2019 10:34 AM

ISE and meraki integration is documented here
http://cs.co/ise-guest

Go to solution
CB90021204
Level 1
Level 1
In response to Jason Kunst

‎02-11-2019 02:24 AM

Thanks for your help everyone. @Jason Kunst that link was perfect. 

 

Just to close this off, Meraki does send the “Service Type” radius field. It started sending after I enabled “Cisco Identity Services Engine (ISE) Authentication for Splash Page” in the SSID settings.

0 Helpful
Customers Also Viewed These Support Documents