Assumptions:
– ISE associated with Active Directory
– Basic ISE and Meraki Knowledge
1. WLAN (SSID) Configuration
- select WPA2 – Enterprise with my Radius server
- select “Cisco Identity Services Engine (ISE) Authentication
- provide ISE radius server IP (auth and acc) and PSK
- Enable CoA
- specify radius attribute “Airespace-ACL-Name” – it is needed to assign group policy for wireless users
Group policy works similar like ACL on WLC. ISE provides name of group policy(on WLC ACL name) but it does not send dACL(group policy).
- disable group assignment policies disabled
- specify user IP assignment (in my case bridge mode)
- enable VLN tagging
- specify default VLAN ( vlan can be also dynamically assigned through ISE policies)
- enable “Radius Override”
- enable 2.4GHz or 5GHz band or both
2. Configure Group Policies (for dACL assignment or/and QoS settings) – in our case name is “Meraki_Contractors_Access”
- build a L3/L7 policy
3.Configure ISE
- configure authorization profile (option1 – ACL), option2 – ACL and dVlan)
option1
Airespace ACL Name must have the same name as group policy name on Meraki AP
option2
- Configure authentication protocols
I suggest to configure custom authentication protocols set but “Default Network Services” is also good choice
- Configure ISE identity source sequence (optional)
For Meraki authentication I created separate identity source sequence which uses AD credentials only
- Configure ISE policies
Authentication policy
Authorization policy
TEST 1
Group policy assignment – ACL only
TEST 2
Group policy assignment – ACL and VLAN
dzbanek 02-06-2018