cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2068
Views
0
Helpful
2
Replies

ISE with Meraki using Wireless 802.1x - Radius:Service-Type = Framed not working

Alfonso Lopez
Cisco Employee
Cisco Employee

The firmware of the APs in the Meraki Dashboard claims to be "Up to date".

 

I'm using ISE to authenticate Wireless 802.1x corporate users against the AD using PEAP-MSCHAPv2. Using the default Wireless 802.1x compund condition (which uses Radius:Service-Type = Framed) simply does not work. The rule is skipped and the request ends up being catched by the default authentication rule.

 

I created a new condition with only Radius:NAS-Port-Type - Wireless - IEEE 802.11 and now that rule catches the request.

 

However, the same thing happens with the Authorization rule. Meraki seems to not understand Radius:Service-Type and the rule that uses it gets skipped. If I get rid of that attribute and try to match on an AD group, it also won't match.

 

Is there a way to create different authroization rules on ISE based on different AD groups if my APs are Meraki?

 

Thanks!

 

Alfonso

1 Accepted Solution

Accepted Solutions

Alfonso Lopez
Cisco Employee
Cisco Employee

Well, I solved it by simply installing patch 1 on our ISE 2.2

 

It's now matching a rule that uses Service-Type = Framed.

 

The authorization condition has 4 attributes:

- Nas Port Type = Wireless IEEE 802.11

- Service Type = Framed

- External Group = Domain Users

- Networkaccess = Userauthenticated

 

So, I hope this helps someone else facing the same issue. The solution was simply to install patch 1...

View solution in original post

2 Replies 2

Francesco Molino
VIP Alumni
VIP Alumni
Hi

I didn't do dot1x implementation with Meraki devices.
However i can help you on ise.
First of all, can you take a tcpdump capture on ise while authenticating through a Meraki devices?

Can you share your ise configuration as will to take a look?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Alfonso Lopez
Cisco Employee
Cisco Employee

Well, I solved it by simply installing patch 1 on our ISE 2.2

 

It's now matching a rule that uses Service-Type = Framed.

 

The authorization condition has 4 attributes:

- Nas Port Type = Wireless IEEE 802.11

- Service Type = Framed

- External Group = Domain Users

- Networkaccess = Userauthenticated

 

So, I hope this helps someone else facing the same issue. The solution was simply to install patch 1...

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: