Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
1361
Views
1
Helpful
0
Comments

ISE and Meraki Integration for the SGT Policy

Jay Tiwari
Cisco Employee
Cisco Employee

on ‎01-18-2024 09:41 AM

 

Introduction

Cisco TrustSec (CTS) solution is also known as Adaptive Policy in the Meraki world. In the Cisco world TrustSec gets configured and managed centrally using Identity Services Engine (ISE) and Adaptive Policy in the Meraki world gets configured and managed by Meraki Dashboard so far. However, now adaptive policy too can be configured and managed centrally from ISE. Adaptive policy gets pushed into the Meraki Dashboard once it is configured in the ISE using API. This capability is available in ISE3.2 Patch1 and onward.

At the time of release of this integration feature, policies are getting pushed one way from ISE to Meraki Dashboard.  This makes ISE a centralized place to configure and manage policy for the Cisco and Meraki based network together.

Lab Setup

jatiwari_0-1704993683151.png

ISE 3.2 patch was deployed in Data Center environment and Meraki Dashboard is in Internet in the Cisco Cloud. To integrate these two components, tcp port 443 was opened in perimeter firewall. Once it is integrated, all the configured SGT, SGACL and SGT policy will be pushed to the Meraki Dashboard.

Note: this solution works with web proxy too.

Prerequisites 

  • ISE Version 3.2 Patch 1 and above   
  • Meraki Dashboard admin account
  • ISE admin account
  • ISE to Meraki Dashboard connectivity on URL api.meraki.com on port 443
  • Meraki Integration required at least ISE Advantage license.

Flow Diagram

jatiwari_1-1704994121031.png

Note: Firewall is present in the flow diagram becuase almost every organization will have firewall at the perimeter of on-prem Data Center. If firewall is not present between ISE and Meraki dashboard then it will establish direct connection.

Configuration

Integration of ISE and Meraki Dashboard

Step 1. Generate API from Meraki Dashboard  

  • Login to Meraki Dashboard --> Go to My profile --> API access and Generate an API Key and copy that key in a safe place. 

Step 2. Login to ISE  

  • Login to ISE --> Go to to Work Centers--> TrustSec --> Intergrations --> Meraki --> Connections --> Click Connect Meraki --> Click Let’s do it! 
  • Provide below details: 
    • Connection: Provide any name  
    • API Key: Paste the API key which was generated in Meraki Dashboard  
    • Choose Meraki Organization: Select the Organization to which data need to be synced  

jatiwari_0-1704995344237.png

  • Click next and let the timer be default12 minutes to sync the data from ISE to Meraki periodically

jatiwari_1-1704995448303.png

  • Select the Policy which you need to sync to Meraki (This can also be done later as well) and Click Next.

jatiwari_2-1704995525142.png

  • Select SGACL which need to be Synced to Meraki (This can also be done later as well)

jatiwari_3-1704995592889.png

  • Select the SGTs which you need to sync to Meraki (This can also be done later as well) and Click Next.

jatiwari_0-1704995730230.png

  • Review the summary of the configuration and click Finish and refresh the page to see below for a successful integration.

jatiwari_1-1704995762964.png

 Sync data from ISE to Meraki

  • All the SGTs, Polices and SGACL created under Components and TrustSec Section will be reflected under the Meraki -> Sync Selection page where you can select which SGTs, Policy or SGACL which need to sync to Meraki Organization.
  •  Go to Work Centers - > Integrations - > Meraki - > Sync Selections and select the Policy, SGTs and SGACL which need to be sync to Meraki and click Save.

jatiwari_2-1704995903095.png

  • Now, go to Work Centers - > Integrations - > Meraki - > Sync Status and wait for data to Sync Now to Meraki or click Manual Sync.

jatiwari_3-1704995963538.png

  • Once data will be synced to Meraki you will see as below as status:

jatiwari_4-1704995996357.png

Verify the policy, SGTs and SGACL on Meraki

Navigate to Organization - > Adaptive Policy - > Groups to verify all the SGT groups are pushed from ISE to Meraki.

jatiwari_0-1705069687872.png

Navigate to Organization - > Adaptive Policy - > Policies to verify all the SGT based Policies are pushed from ISE to Meraki.

jatiwari_1-1705069714234.png

Testing & Troubleshooting

Collect the support bundle for troubleshooting purpose by enabling "Meraki Connector" as in screenshot below:

jatiwari_2-1705069823329.png

Limitation

The following limitations are known at the time of writing this document.

  1. One ISE or one ISE cluster can push the policy for 20 organizations under a Meraki Dashboard account.
  2. Static IP/Subnet to SGT mapping cannot be pushed to the Meraki Dashboard.
  3. One ISE or one ISE cluster can push only one TrustSec matrix to all the organizations of a Meraki Dashboard.
  4. Meraki dashboard can push max 60 SGT and policy between them in the Meraki Network.
  5. SXP is not supported for the Meraki Network Devices.

 

 

 

 

 

 

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents