Skip to main content
Cisco Meraki

Adaptive Policy MR Configuration Guide

Overview 

Adaptive Policy requires a number of configurations across the stack however this document will cover only the MR aspects of the feature enablement process.

For more information on the Adaptive Policy feature as a whole please review the following documentation article: 

For how to enable the feature for a network please review the following documentation article: 

Use Case 

  • Static tagging of client traffic to specific SGTs based on SSID

  • Dynamic tagging of clients based on RADIUS AV-Pair response

  • Micro-segmentation between clients on the same AP and separate access points in the same Adaptive Policy domain

 

Requirements

To enable Adaptive Policy on a network the following conditions must be met:

  1. MR Wave 2 and greater APs (excluding the MR20 and MR70)
  2. Advanced License (grace period will be available until MR's 27.X release is GA)

MR safe-guarding and MS port configuration requirement

The nature of adaptive policy and inline SGT tagging is that adding an encapsulation layer can make or break connectivity for an AP or switch’s management traffic. Access points especially could easily be stranded if tagging was enabled and the down-stream switch did not support the encapsulation. To avoid this scenario there is a fail-safe built into the access points upon a link up event where if the access point does NOT receive Cisco MetaData (CMD) encapsulated traffic for a set number of frames, the AP will completely disable tagging until tagging is enabled on the connected switch and encapsulation is observed on the incoming frames.

 

The valid port configuration for MR to enable adaptive policy when connected to a supported MS are the following:

clipboard_e74a65001f851751db345ba6466fd9afe.png

If the supported MS interface is not configured to perform SGT encapsulation (CMD) via the Peer SGT Capable configuration being enabled, the access point will disable the feature on that specific AP and produce an error message. If the attached switch is a TrustSec capable catalyst switch please review the following article: IOS-XE Trunk Port Configuration

Configuration for Static Group Assignment 

If Adaptive Policy is enabled on the network, applying a static tag to an SSID is configured under Wireless > Access Control > Addressing and traffic > Adaptive Policy Group
 

clipboard_e15843f514729479a21425b9487a114d2.png

 

In this menu you can select any of the groups configured under Organization > Adaptive policy > Groups.

Once this is configured, all clients attached to the SSID will be tagged with the specified tag** 

**unless the SSID is configured for RADIUS and the RADIUS server sends back a specific tag as explained below.

**Tagging is only supported on Bridge Mode and NAT mode at this time.

Configuration for RADIUS assignment

SSIDs configured to use a RADIUS server to authenticate users for the following methods can dynamically override the default group tag assigned:

  • Open with MAC-Authentication
  • WPA1/2/3-Enterprise with Custom RADIUS
  • iPSK w/RADIUS

The RADIUS attribute value pair (av-pair) uses the Cisco SGT AV-Pair of: 

cisco-av-pair:cts:security-group-tag={SGT value in HEX}-{revision number}​
EXAMPLE:
cisco-av-pair:cts:security-group-tag=0fa0-00
This example sends back an SGT of 4000

The RADIUS assignment of group tags is done per-session and to operate will require the av-pair in every access-accept for the client.

 

  • Was this article helpful?