Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2480
Views
0
Helpful
3
Replies

ISE / Meraki Google authentication and authorization

giovanni.augusto
Level 1
Level 1

‎07-23-2019 07:40 AM

Hi Community, 

 

Let me explain what is the scenario and what would be nice to achieve:

 

We have Meraki APs and also Cisco ISE servers for AAA.

 

We would like to authenticatie Wireless users with Google authentication and I know that Meraki itself offers a couple of options:

1) Splash screen with Meraki oauth authentication to a certain domain.com

2) WPA2-Enterprise with Google Authentication to a certain domain.com

 

What I cannot figure out is how to enforce authorization so actually to do the following

1) restrict the users allowed to access Wireless based on some Google attribute (Google groups?)

2) retrieve an attribute (Google group name?) to enforce a specific VLAN or even Meraki group in return

 

Solution can be either ISE only (preferred) or Meraki only

 

I know all this can be achieved eventually using an external RADIUS server with Google authenticator and use eventually the username provided as an attribute match in ISE (for example Email) in Active directory to retrieve in the end an AD Security group to differentiate access (IT vs Dev) but I am aiming to have a Google only solution, otherwise with AD still in the loop it would not be worth the hassle of using Google.

 

Thank you!

 

0 Helpful
3 Replies 3

hslai
Cisco Employee
Cisco Employee

‎07-23-2019 05:48 PM

I am not familiar with the two Meraki features you outlined so it best for you to seek support at Meraki support forums or other resources.

You might be able to perform Central Web Authentication (CWA) with Cisco ISE with Google Suite Guest SSO (Single Sign On) with ISE via SAML for Chromebooks

0 Helpful

giovanni.augusto
Level 1
Level 1
In response to hslai

‎07-23-2019 05:58 PM

Thanks,

 

web redirection to captive portals is not what I had in mind but even so, is it possible to retrieve attributes from Google cloud identities ?

 

Idea would be to assign different level of authorization based on user attributes (groups...).

 

I have also opened another discussion about the relatively recent Google Secure LDAP option, this may save the day for me but I would like to know if anyone (Cisco Employee or not) had a chance to look at it, maybe with some guidelines on what can be realistic expectations and how to achieve them.

 

here the discussion link : https://community.cisco.com/t5/identity-services-engine-ise/cisco-ise-and-google-gsuite-ldap/m-p/3896236

0 Helpful

hslai
Cisco Employee
Cisco Employee
In response to giovanni.augusto

‎07-27-2019 02:44 PM

web redirection to captive portals is not what I had in mind but even so, is it possible to retrieve attributes from Google cloud identities ?

As I responded earlier, see Google Suite Guest SSO (Single Sign On) with ISE via SAML for Chromebooks > Optional Configurations for group/attribute matching

0 Helpful
Customers Also Viewed These Support Documents