Adaptive Policy MS Configuration Guide
Overview
This document explains the configuration options for assigning Adaptive Policy (SGT) groups to client devices.
For details on how to configure Adaptive Policy in your Dashboard Organization, refer to the Adaptive Policy Configuration Guide. To understand how Adaptive Policy works in a Meraki Dashboard Organization, refer to the Adaptive Policy Overview document.
Use the following process to configure LACP/Aggregates with Adaptive Policy:
- Configure each interface as desired
- Select and aggregate the interfaces with matching configurations
If the interfaces are already aggregated prior to adaptive policy configurations, there is a possibility that the configuration deployment may fail and cause an outage if the aggregate is the uplink for the switch.
Adaptive Policy Classification Order of Operation
Adaptive Policy supports multiple methods of performing classification of endpoints to an SGT. The order of operation for classification is from highest to lowest priority:
- Port to SGT OR RADIUS session SGT Assignment (802.1X/MAB)
- IP / Subnet to SGT Map
- VLAN to SGT Map
- Last resort assignment of 0 (unknown)
Example 1: If a RADIUS session does not supply an SGT in the Access-Accept back for a MAB / 802.1X session, the switch will look up the endpoint's IP address against any IP to SGT or Subnet to SGT maps. If no match is found (whether a host IP to SGT or Subnet to SGT) the switch will then perform a VLAN to SGT lookup. If no VLAN to SGT match is found, the endpoint will be marked as 0 (unknown) and policy will be applicable based on the SGT 0 policy definition.
Example 2: If a switchport is not configured for 802.1X / MAB, and there is no static port to SGT map, the switch will always fall back to first a subnet to SGT lookup, then VLAN to SGT lookup, and finally, if no match is found, a classification of 0 for unknown.
Adaptive Policy SGT Propagation Configuration
Adaptive policy relies on SGTs being transmitted between network devices that support inline SGT. To configure SGT propagation from switch to supported switch and switch to supported APs, navigate to Switching > Monitor > Switch Ports configure the port as the following:
Without enabling Peer SGT Capable on Peer to Peer links, the SGT value will not be propagated through CMD encapsulation to the next hop device.
This configuration is ONLY for inline SGT capable devices including the MS130 (R and X models) on MS17+ firmware, MS390/C9K-M, and MR/CW Access Points running firmware MR 27+. This is also used to propagate SGTs to any Cisco product that supports inline tagging (e.g. Catalyst, Firepower, Nexus that are in the TrustSec support Matrix).
If configured on links to unsupported devices, the device behind the switch port will be unable to communicate until the port is set back to Peer SGT capable - disabled.
Static Assignment of Adaptive Policy Group by Switch Port
An Adaptive Policy Group can be configured on a switch-port to have it statically associated to the client directly connected on that port. This functionality is supported on both access and trunk ports. To configure an Adaptive Policy Group on a switch-port,
- Navigate to Switching > Monitor > Switch Ports.
- Select the port(s) you would like to apply the access policy to and press the Edit button.
- From the Adaptive policy group drop-down box, select the group to be assigned to the switch-port press the Update button.
VLAN-Based SGT Assignment
The VLAN to SGT feature allows users to configure an SGT value for an entire VLAN. Example: VLAN HR is mapped to SGT 20, therefore all endpoints on the VLAN HR will be assigned the SGT 20.
This feature could be used in a few different scenarios:
-
As a fallback SGT - In this scenario if the users do not get assigned an SGT via RADIUS, or the RADIUS servers are down this VLAN can be used as a fallback mechanism to assign a fallback SGT to all users.
-
Users have a very good definition of their VLANs and want to assign SGTs via VLAN instead of Radius. (Example: HR->SGT20, Finance->SGT30, PCI->SGT40)
RADIUS assigned SGT via AV-Pair, as well as IP to SGT maps will take precedence over VLAN to SGT assignment
The order of operation for classification is from highest to lowest priority:
- Port to SGT OR RADIUS session SGT Assignment
- IP / Subnet to SGT Map
- VLAN to SGT Map
- last resort 0 (unknown)
This means that if you have a client that matches an IP to SGT map, it will NOT be classified based on a VLAN to SGT map.
Note: The VLAN to SGT mapping feature is available on MS390 and Catalyst switches in managed mode from firmware CS 17.1.2.1 and above, as well as all MS130X/R and MS150 models with MS17+.
To configure:
-
Navigate to Network-wide->VLAN profiles
-
Select VLAN Profiles Tab, Click the … and select Edit
- Select the VLAN you'd like to add/edit an SGT for from the drop down box, then click save profile changes
To verify successful configuration:
In the dashboard, navigate to Switching, select your switch and the configured port.
You will see the IP and MAC as well as the SGT of the client which should Match what you set in the VLAN profile.
RADIUS-Based Assignment of an Adaptive Policy Group
Adaptive Policy Groups or SGTs can also be associated with client devices dynamically, using the cisco-av-pair:cts:security-group-tag during the RADIUS authentication process. Enabling your devices for SGT assignments via RADIUS requires the RADIUS server send the above AV-pair on every successful authentication. The interface must NOT have a static SGT mapped to it or the 802.1X policy will not be deployed. The formatting for the attribute requires converting the decimal value to hex and including a revision version as a dash after (the revision version does not matter and is fine to send back -00. For example this is a tag of 4000:
Configure Access Policy on Switch Ports
- On the Dashboard navigate to Switching > Configure > Access Policies.
- Select the access policy you want to modify or, to add a new policy, click on the link Add an access policy in the main window, then select my RADIUS server from the drop-down menu for Authentication method.
- Select the other options, as required. For details on configuring other options of the access policy refer to Creating an Access Policy on Dashboard
- Click Save Changes.
- Navigate to Switching > Monitor > Switch Ports.
- Select the port(s) you would like to apply the access policy to and press the Edit button.
- Convert the port type from trunk to access. Note: you can only apply an Access Policy to an access port.
- From the Access Policy drop-down box, select the Access Policy you created and press the Update button.
For more details on client authentication on MS switches, refer to MS Switch Access Policies.
You cannot have static group assignment and an 802.1x access policy configured on a switch port. If 802.1x is used on the interface, the interface group tag will be grayed out (Configured with default “Unspecified” value). In this case all Access-Accept messages for clients will require an SGT using the below av-pair. If no SGT is supplied, the switch will fall back to a less specific match (IP/Subnet/VLAN to SGT).
Configure RADIUS Server for SGT Assignment
To assign an SGT value to a client, the RADIUS server would have to include the cts:security-group-tag attribute value pair in the RADIUS Access-Accept message. The syntax for this attribute is as follows.
cisco-av-pair:cts:security-group-tag={SGT value in HEX}-{revision number}
For example, the following statement would send back an SGT value of 4000 (0x0fa0 in hexadecimal).
cisco-av-pair:cts:security-group-tag=0fa0-00
Additional Adaptive Policy Resources
For additional information on Adaptive Policy, refer to the following links:
Adaptive Policy Overview
Adaptive Policy Configuration Guide
Adaptive Policy for MX/Z Platforms
Adaptive Policy MR Configuration Guide
Adaptive Policy Telemetry
Adaptive Policy and Cisco ISE