Adaptive Policy MR Configuration Guide
Overview
Adaptive Policy requires a number of configurations across the stack however this document will cover only the MR aspects of the feature enablement process.
For details on how to configure Adaptive Policy in your Dashboard Organization, refer to the Adaptive Policy Configuration Guide. To understand how Adaptive Policy works in a Meraki Dashboard Organization, please refer to the Adaptive Policy Overview document.
Use Case
-
Static tagging of client traffic to specific SGTs based on SSID
-
Dynamic tagging of clients based on RADIUS AV-Pair response
-
Micro-segmentation between clients on the same AP and separate access points in the same Adaptive Policy domain
Requirements
To enable Adaptive Policy on a network the following conditions must be met:
- MR Wave 2 and greater APs (excluding the MR20 and MR70)
- Advanced License (grace period will be available until MR's 27.X release is GA)
MR safe-guarding and MS port configuration requirement
The nature of adaptive policy and inline SGT tagging is that adding an encapsulation layer can make or break connectivity for an AP or switch’s management traffic. Access points especially could easily be stranded if tagging was enabled and the down-stream switch did not support the encapsulation. To avoid this scenario there is a fail-safe built into the access points upon a link up event where if the access point does NOT receive Cisco MetaData (CMD) encapsulated traffic for a set number of frames, the AP will completely disable tagging until tagging is enabled on the connected switch and encapsulation is observed on the incoming frames.
The valid port configuration for MR to enable adaptive policy when connected to a supported MS are the following:
If the supported MS interface is not configured to perform SGT encapsulation (CMD) via the Peer SGT Capable configuration being enabled, the access point will disable the feature on that specific AP and produce an error message. If the attached switch is a TrustSec capable catalyst switch please review the following article: IOS-XE Trunk Port Configuration
Configuration for Static Group Assignment
If Adaptive Policy is enabled on the network, applying a static tag to an SSID is configured under Wireless > Access Control > Addressing and traffic > Adaptive Policy Group
In this menu you can select any of the groups configured under Organization > Adaptive policy > Groups.
Once this is configured, all clients attached to the SSID will be tagged with the specified tag**
**unless the SSID is configured for RADIUS and the RADIUS server sends back a specific tag as explained below.
**Tagging is only supported on Bridge Mode and NAT mode at this time.
Configuration for RADIUS assignment
SSIDs configured to use a RADIUS server to authenticate users for the following methods can dynamically override the default group tag assigned:
- Open with MAC-Authentication
- WPA1/2/3-Enterprise with Custom RADIUS
- iPSK w/RADIUS
The RADIUS attribute value pair (av-pair) uses the Cisco SGT AV-Pair of:
cisco-av-pair:cts:security-group-tag={SGT value in HEX}-{revision number} EXAMPLE: cisco-av-pair:cts:security-group-tag=0fa0-00 This example sends back an SGT of 4000
The RADIUS assignment of group tags is done per-session and to operate will require the av-pair in every access-accept for the client.