09-15-2017 02:05 AM - edited 02-21-2020 10:34 AM
The firmware of the APs in the Meraki Dashboard claims to be "Up to date".
I'm using ISE to authenticate Wireless 802.1x corporate users against the AD using PEAP-MSCHAPv2. Using the default Wireless 802.1x compund condition (which uses Radius:Service-Type = Framed) simply does not work. The rule is skipped and the request ends up being catched by the default authentication rule.
I created a new condition with only Radius:NAS-Port-Type - Wireless - IEEE 802.11 and now that rule catches the request.
However, the same thing happens with the Authorization rule. Meraki seems to not understand Radius:Service-Type and the rule that uses it gets skipped. If I get rid of that attribute and try to match on an AD group, it also won't match.
Is there a way to create different authroization rules on ISE based on different AD groups if my APs are Meraki?
Thanks!
Alfonso
Solved! Go to Solution.
09-25-2017 01:28 AM
Well, I solved it by simply installing patch 1 on our ISE 2.2
It's now matching a rule that uses Service-Type = Framed.
The authorization condition has 4 attributes:
- Nas Port Type = Wireless IEEE 802.11
- Service Type = Framed
- External Group = Domain Users
- Networkaccess = Userauthenticated
So, I hope this helps someone else facing the same issue. The solution was simply to install patch 1...
09-15-2017 08:30 PM
09-25-2017 01:28 AM
Well, I solved it by simply installing patch 1 on our ISE 2.2
It's now matching a rule that uses Service-Type = Framed.
The authorization condition has 4 attributes:
- Nas Port Type = Wireless IEEE 802.11
- Service Type = Framed
- External Group = Domain Users
- Networkaccess = Userauthenticated
So, I hope this helps someone else facing the same issue. The solution was simply to install patch 1...
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: