cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2804
Views
2
Helpful
5
Replies

Meraki MR and ISE integration

maufuent
Level 1
Level 1

Hello:

     I have a customer that is using Meraki MR AP and they want to authenticate users on AD, but tying each user to their PC (MAC Address). I know that with ISE we can do it, but I dont know if Meraki MR, using 802.1X PEAP-MSCHAP, sends Calling Station ID attribute or similar to tie the wireless device. Do you know if is it possible or ideas to do it?

Thanks in advanced

Mauricio

1 Accepted Solution

Accepted Solutions

MAR checks whether the endpoint performing AD computer authentication within the MAR cache timeout. MAR does not tie one particular user to the list of devices.

View solution in original post

5 Replies 5

Timothy Abbott
Cisco Employee
Cisco Employee

Mauricio,

Calling Station ID is a pretty RADIUS attribute and I'm pretty sure the MR access point have this functionality.  What I don't understand is how you are trying to tie the user and machine together.  Are you looking for something link EAP-Chaining?

Regards

-Tim

Thanks Tim. Is more simple my request

My customer is looking for a way to authorize access to an user just if it is using their assigned PC.

I think to put in AD a field attribute as user’s PC MAC address and using 802.1X PEAP-MSCHAP, send from ISE an authentication request with user/password and get from AD this attribute to compare with calling station ID attribute ( if Meraki sends it on Radius request). It will work?

Regards

Mauricio

De: Timothy Abbott <community@cisco.com>

Responder a: "jive-63888371-5kln-2-5dtg@cisco-marketing.hosted.jivesoftware.com" <jive-63888371-5kln-2-5dtg@cisco-marketing.hosted.jivesoftware.com>

Fecha: jueves, 6 de abril de 2017, 11:05

Para: "Mauricio Fuentes (maufuent)" <maufuent@cisco.com>

Asunto: Re: - Meraki MR and ISE integration

Cisco Communities <https://communities.cisco.com/>

Meraki MR and ISE integration

reply from Timothy Abbott<https://communities.cisco.com/people/tiabbott> in Technology > Security Community > Policy and Access > Identity Services Engine (ISE) - View the full discussion<https://communities.cisco.com/message/251188#251188>

hslai
Cisco Employee
Cisco Employee

Perhaps, you want to consider this Deny and allow workstation logons with Group Policy – 4sysops

Please remember to add ISE PSNs to the list, tho.

Would simple ISE MAR do the job if this is pure Microsoft environment?

MAR checks whether the endpoint performing AD computer authentication within the MAR cache timeout. MAR does not tie one particular user to the list of devices.