cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2868
Views
0
Helpful
11
Replies

Cisco ISE and Meraki Radius

Andy Guley
Level 1
Level 1

I am very new to Cisco ISE and Meraki.  I am trying to get Radius setup for wireless authentication.  When I do a test from the Meraki to ISE it passes. 

When I try to connect from my laptop I watch the Radius logs and it passes; however it is not connecting me to the right Policy set.  I keep hitting the default policy.  I do have my Meraki policy above the default policy in the policy set section.  I attached what my Policy set looks like. 

1 Accepted Solution

Accepted Solutions

The all devices doesn't really matter. Here is what I see when I create a device group (where you would add the AP to that group) and then create the condition:

And here is where I create the policy set condition and you should be able to select the Meraki APs:

That will give you the condition similar to what I posted above. That may be why you aren't hitting that set because it's not matching the condition for that set.

View solution in original post

11 Replies 11

Joseph Johnson
Level 1
Level 1

What does the authorization result MerakiWirelessEmployee look like?

Here you go.

Check that you are using the exact same spelling for the Group Policy in the Airespace ACL field (case sensitive). You can also check your settings against the following documentation:

http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/HowTo-86-Integrating_Meraki_Networks.pdf

I do have it spelled the same.  I do know that I am having a certificate issue.  I havent uploaded a new one into ISE yet.  I told my Windows 10 client not to verify the certificate.  I will be uploading a third party cert tomorrow.  If the cert is incorrect would this be the behavior i should expect to see?  Or should it still hit the right auth rule?

Thanks for the quick responses. 

No because you are not using certificates for any of the authentications.

On the failed authentication entry in the RADIUS live log, click the details button. That will tell you if you should even be hitting the WirelessDot1x authorization rule. Verify that the client actually tried MS-CHAPv2 and the NAS port type equals Wireless IEEE-802.11.

I just realized something. You may be running into an issue that I've ran into in the past using EQUALS for the external domain group membership. Try changing that to CONTAINS.

I just changed it to Contains.  I wont be able to test until the morning if that makes a difference or not. 

It's not actually failing on Radius it is passing.  But it is not putting it into the right policy set. 

Are all the Meraki AP's configured in ISE as a network access device and added to a device group? The policy set condition should look more like this:

DEVICE:Device Type EQUALS Device Type#All Devices#Meraki APs

You should be able to select Meraki APs after the EQUALS operator because that dropdown populates with devices when you choose DEVICE:Device Type as the attribute.

I do have the AP added to a group.  I don't have an option to do #All Devices.  Attached is what it looks like I can add.  And pardon my ignorance I may be doing something wrong when  I am adding this.  Am using ISE for the first time ever. 

The all devices doesn't really matter. Here is what I see when I create a device group (where you would add the AP to that group) and then create the condition:

And here is where I create the policy set condition and you should be able to select the Meraki APs:

That will give you the condition similar to what I posted above. That may be why you aren't hitting that set because it's not matching the condition for that set.

Okay, I updated my group to look just like yours.  I will check first thing in the morning.  I really appreciate all of your help on this. 

Thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: