Solved: ISE 1.2 & AD & Meraki - Per User Group Policy ?

Nathan Farrar · ‎09-04-2014

I am working on a PoC for a deployment in an MDU. We are using Meraki switches and access points. There are 250 units in the building, each unit will have it's own subnet. The goal is to have the tenant be able to connect to a common building SSID and be placed into their assigned VLAN. There will also be physical ports in each unit that will need to do the same. I am trying to figure out a way to use ISE to authorize on a per user basis and not based on groups of users. On the Meraki system there are group policies that will assign the VLAN for the user as well as any type of layer 7 firewalling and bandwidth control. So there will be 250 group policies, one for each unit. There is a deployment guide that shows how to setup ISE for use with Meraki and it is great but it assumes that there will be large groups like Employees, Contractors, etc.. that will be used. This is where I'm being tripped up, also... this is my first swing at a NAC deployment so I have a lot to learn.

1.Can I setup each user in Active Directory to have a tag that ISE can then forward on to Meraki for the group policy? Say it's unit 101 and I have a group policy called 101 in Meraki, Meraki documentation says to use the Airespace-ACL-Name attribute in ISE to indicate the group policy to use. This gives me the ability to place a group into that policy but not an individual. Or would this be better done by creating the users in ISE directly? Omit AD entirely?

2. Each unit will have devices that will need MAB because they are not 802.1x compatible. I need to do the same as above with them. I would create a separate SSID for these devices but then use the MAC address to authenticate them but will need to authorize them to go into a specific group policy.

I know this isn't a typical ISE application but I think that this will work really well in the end, just need to iron out these details and get a test system functioning. Any help would be greatly appreciated!!!

Thanks,

Nathan

Saurav Lodh · ‎09-18-2014

Please find the Meraki_ISE integration doc. in attachment.

When VLAN tagging is configured per user, multiple users can be associated to the same SSID, but their traffic is tagged with different VLAN IDs. This configuration is achieved by authenticating wireless devices or users against a customer-premise RADIUS server, which can return RADIUS attributes that convey the VLAN ID that should be assigned to a particular user’s traffic.

In order to perform per-user VLAN tagging, a RADIUS server must be used with one of the following settings:

MAC-based access control (no encryption)
WPA2-Enterprise with 802.1x authentication

A per-user VLAN tag can be applied in 3 different ways:

The RADIUS server returns a Tunnel-Private-Group-ID attribute in the Access-Accept message, which specifies the VLAN ID that should be applied to the wireless user. This VLAN ID could override whatever may be configured in the MCC (which could be no VLAN tagging, or a per-SSID VLAN tag). To have this VLAN ID take effect, “RADIUS override” must be set to “RADIUS response can override VLAN tag” under the Configure tab on the Access Control page in the “VLAN setup” section.
The RADIUS server returns a group policy attribute (e.g., Filter-ID) in the Access-Accept message. The group policy attribute specifies a group policy that should be applied to the wireless user, overriding the policy configured on the SSID itself. If the group policy includes a VLAN ID, the group policy’s VLAN ID will be applied to the user.
On the Client Details page, a client can be manually assigned a group policy. If the group policy includes a VLAN ID, the group policy’s VLAN ID will be applied to the user.

View solution in original post

Saurav Lodh · ‎09-18-2014

Please find the Meraki_ISE integration doc. in attachment.

When VLAN tagging is configured per user, multiple users can be associated to the same SSID, but their traffic is tagged with different VLAN IDs. This configuration is achieved by authenticating wireless devices or users against a customer-premise RADIUS server, which can return RADIUS attributes that convey the VLAN ID that should be assigned to a particular user’s traffic.

In order to perform per-user VLAN tagging, a RADIUS server must be used with one of the following settings:

MAC-based access control (no encryption)
WPA2-Enterprise with 802.1x authentication

A per-user VLAN tag can be applied in 3 different ways:

The RADIUS server returns a Tunnel-Private-Group-ID attribute in the Access-Accept message, which specifies the VLAN ID that should be applied to the wireless user. This VLAN ID could override whatever may be configured in the MCC (which could be no VLAN tagging, or a per-SSID VLAN tag). To have this VLAN ID take effect, “RADIUS override” must be set to “RADIUS response can override VLAN tag” under the Configure tab on the Access Control page in the “VLAN setup” section.
The RADIUS server returns a group policy attribute (e.g., Filter-ID) in the Access-Accept message. The group policy attribute specifies a group policy that should be applied to the wireless user, overriding the policy configured on the SSID itself. If the group policy includes a VLAN ID, the group policy’s VLAN ID will be applied to the user.
On the Client Details page, a client can be manually assigned a group policy. If the group policy includes a VLAN ID, the group policy’s VLAN ID will be applied to the user.

Nathan Farrar · ‎10-14-2014

Ended up not going with ISE as it is a bit pricey and not really necessary for what it is that we want to do. Appreciate the input. It did help me get what I was working on to function.

Thanks!