Solved: Re: ISE with Meraki using Wireless 802.1x - Radius:Service-Type = Framed not working

Alfonso Lopez · ‎09-15-2017

The firmware of the APs in the Meraki Dashboard claims to be "Up to date".

I'm using ISE to authenticate Wireless 802.1x corporate users against the AD using PEAP-MSCHAPv2. Using the default Wireless 802.1x compund condition (which uses Radius:Service-Type = Framed) simply does not work. The rule is skipped and the request ends up being catched by the default authentication rule.

I created a new condition with only Radius:NAS-Port-Type - Wireless - IEEE 802.11 and now that rule catches the request.

However, the same thing happens with the Authorization rule. Meraki seems to not understand Radius:Service-Type and the rule that uses it gets skipped. If I get rid of that attribute and try to match on an AD group, it also won't match.

Is there a way to create different authroization rules on ISE based on different AD groups if my APs are Meraki?

Thanks!

Alfonso

Alfonso Lopez · ‎09-25-2017

Well, I solved it by simply installing patch 1 on our ISE 2.2

It's now matching a rule that uses Service-Type = Framed.

The authorization condition has 4 attributes:

- Nas Port Type = Wireless IEEE 802.11

- Service Type = Framed

- External Group = Domain Users

- Networkaccess = Userauthenticated

So, I hope this helps someone else facing the same issue. The solution was simply to install patch 1...

View solution in original post

Francesco Molino · ‎09-15-2017

Hi

I didn't do dot1x implementation with Meraki devices.
However i can help you on ise.
First of all, can you take a tcpdump capture on ise while authenticating through a Meraki devices?

Can you share your ise configuration as will to take a look?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Alfonso Lopez · ‎09-25-2017