Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2799
Views
2
Helpful
5
Replies

Meraki MR and ISE integration

Go to solution
maufuent
Level 1
Level 1

‎04-06-2017 05:25 AM

Hello:

     I have a customer that is using Meraki MR AP and they want to authenticate users on AD, but tying each user to their PC (MAC Address). I know that with ISE we can do it, but I dont know if Meraki MR, using 802.1X PEAP-MSCHAP, sends Calling Station ID attribute or similar to tie the wireless device. Do you know if is it possible or ideas to do it?

Thanks in advanced

Mauricio

1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to Ping Zhou

‎04-07-2017 10:39 PM

MAR checks whether the endpoint performing AD computer authentication within the MAR cache timeout. MAR does not tie one particular user to the list of devices.

View solution in original post

5 Replies 5

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee

‎04-06-2017 07:04 AM

Mauricio,

Calling Station ID is a pretty RADIUS attribute and I'm pretty sure the MR access point have this functionality.  What I don't understand is how you are trying to tie the user and machine together.  Are you looking for something link EAP-Chaining?

Regards

-Tim

0 Helpful

Go to solution
maufuent
Level 1
Level 1
In response to Timothy Abbott

‎04-06-2017 01:31 PM

Thanks Tim. Is more simple my request

My customer is looking for a way to authorize access to an user just if it is using their assigned PC.

I think to put in AD a field attribute as user’s PC MAC address and using 802.1X PEAP-MSCHAP, send from ISE an authentication request with user/password and get from AD this attribute to compare with calling station ID attribute ( if Meraki sends it on Radius request). It will work?

Regards

Mauricio

De: Timothy Abbott <community@cisco.com>

Responder a: "jive-63888371-5kln-2-5dtg@cisco-marketing.hosted.jivesoftware.com" <jive-63888371-5kln-2-5dtg@cisco-marketing.hosted.jivesoftware.com>

Fecha: jueves, 6 de abril de 2017, 11:05

Para: "Mauricio Fuentes (maufuent)" <maufuent@cisco.com>

Asunto: Re: - Meraki MR and ISE integration

Cisco Communities <https://communities.cisco.com/>

Meraki MR and ISE integration

reply from Timothy Abbott<https://communities.cisco.com/people/tiabbott> in Technology > Security Community > Policy and Access > Identity Services Engine (ISE) - View the full discussion<https://communities.cisco.com/message/251188#251188>

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎04-06-2017 04:25 PM

Perhaps, you want to consider this Deny and allow workstation logons with Group Policy – 4sysops

Please remember to add ISE PSNs to the list, tho.

0 Helpful

Go to solution
Ping Zhou
Level 8
Level 8
In response to hslai

‎04-06-2017 05:11 PM

Would simple ISE MAR do the job if this is pure Microsoft environment?

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to Ping Zhou

‎04-07-2017 10:39 PM

MAR checks whether the endpoint performing AD computer authentication within the MAR cache timeout. MAR does not tie one particular user to the list of devices.

Customers Also Viewed These Support Documents