cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
578
Views
0
Helpful
11
Replies
Beginner

Cisco ISE and Meraki Radius

I am very new to Cisco ISE and Meraki.  I am trying to get Radius setup for wireless authentication.  When I do a test from the Meraki to ISE it passes. 

When I try to connect from my laptop I watch the Radius logs and it passes; however it is not connecting me to the right Policy set.  I keep hitting the default policy.  I do have my Meraki policy above the default policy in the policy set section.  I attached what my Policy set looks like. 

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Beginner

The all devices doesn't

The all devices doesn't really matter. Here is what I see when I create a device group (where you would add the AP to that group) and then create the condition:

And here is where I create the policy set condition and you should be able to select the Meraki APs:

That will give you the condition similar to what I posted above. That may be why you aren't hitting that set because it's not matching the condition for that set.

11 REPLIES 11
Beginner

What does the authorization

What does the authorization result MerakiWirelessEmployee look like?

Beginner

Here you go.

Here you go.

Beginner

Check that you are using the

Check that you are using the exact same spelling for the Group Policy in the Airespace ACL field (case sensitive). You can also check your settings against the following documentation:

http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/HowTo-86-Integrating_Meraki_Networks.pdf

Beginner

I do have it spelled the same

I do have it spelled the same.  I do know that I am having a certificate issue.  I havent uploaded a new one into ISE yet.  I told my Windows 10 client not to verify the certificate.  I will be uploading a third party cert tomorrow.  If the cert is incorrect would this be the behavior i should expect to see?  Or should it still hit the right auth rule?

Thanks for the quick responses. 

Beginner

No because you are not using

No because you are not using certificates for any of the authentications.

On the failed authentication entry in the RADIUS live log, click the details button. That will tell you if you should even be hitting the WirelessDot1x authorization rule. Verify that the client actually tried MS-CHAPv2 and the NAS port type equals Wireless IEEE-802.11.

Beginner

I just realized something.

I just realized something. You may be running into an issue that I've ran into in the past using EQUALS for the external domain group membership. Try changing that to CONTAINS.

Beginner

I just changed it to Contains

I just changed it to Contains.  I wont be able to test until the morning if that makes a difference or not. 

It's not actually failing on Radius it is passing.  But it is not putting it into the right policy set. 

Beginner

Are all the Meraki AP's

Are all the Meraki AP's configured in ISE as a network access device and added to a device group? The policy set condition should look more like this:

DEVICE:Device Type EQUALS Device Type#All Devices#Meraki APs

You should be able to select Meraki APs after the EQUALS operator because that dropdown populates with devices when you choose DEVICE:Device Type as the attribute.

Beginner

I do have the AP added to a

I do have the AP added to a group.  I don't have an option to do #All Devices.  Attached is what it looks like I can add.  And pardon my ignorance I may be doing something wrong when  I am adding this.  Am using ISE for the first time ever. 

Highlighted
Beginner

The all devices doesn't

The all devices doesn't really matter. Here is what I see when I create a device group (where you would add the AP to that group) and then create the condition:

And here is where I create the policy set condition and you should be able to select the Meraki APs:

That will give you the condition similar to what I posted above. That may be why you aren't hitting that set because it's not matching the condition for that set.

Beginner

Okay, I updated my group to

Okay, I updated my group to look just like yours.  I will check first thing in the morning.  I really appreciate all of your help on this. 

Thanks