Skip to main content
Cisco Meraki Documentation

Adaptive Policy MS Configuration Guide

Overview 

This document explains the configuration options for assigning Adaptive Policy (SGT) groups to client devices.

For details on how to configure Adaptive Policy in your Dashboard Organization, refer to the Adaptive Policy Configuration Guide. To understand how Adaptive Policy works in a Meraki Dashboard Organization, please refer to the Adaptive Policy Overview document.

NOTE: When configuring LACP/Aggregates with Adaptive Policy, please follow the process of:

  • Configuring each interface with the appropriate configurations e.g. Peer SGT Capable Enabled and Adaptive Policy Group 2,
  • Then once the interfaces match, Select and Aggregate the interfaces.

If the interfaces are aggregated first prior to adaptive policy configurations, there is a possibility that the configuration deployment may fail and cause an outage if the aggregate is the uplink for the switch. 

Adaptive Policy SGT propagation configuration

Adaptive policy relies on SGTs being transmitted between network devices that support inline SGT. To configure SGT propagation from switch to supported switch and switch to supported APs, please navigate to Switching > Monitor > Switch Ports  configure the port as the following:

 

Adaptive Policy configuration on switchport

 

Without this configured on Peer to Peer links, the SGT value will not be propagated on packets. This configuration is ONLY for inline SGT capable devices and will not work with MS switches previous to the MS390 or MR Access Points running firmware below MR 27.X. If configured for unsupported devices the device behind the switchport will be unable to communicate until the port is set back to Peer SGT capable - disabled. 

Static assignment of Adaptive Policy Group by switchport

An Adaptive Policy Group can be configured on a switch-port to have it statically associated to the client directly connected on that port. To configure an Adaptive Policy Group on a switch-port,

  1. Navigate to Switching > Monitor > Switch Ports.
  2. Select the port(s) you would like to apply the access policy to and press the Edit button.
  3. From the Adaptive policy group drop-down box, select the group to be assigned to the switch-port press the Update button.

 

Applying Adaptive policy group to switch port

 

RADIUS-based assignment of an Adaptive Policy Group

Adaptive Policy Groups or SGTs can also be associated with client devices dynamically, using the cisco-av-pair:cts:security-group-tag during the RADIUS authentication process. Enabling your devices for SGT assignments via RADIUS requires the RADIUS server send the above AV-pair on every successful authentication. The interface must NOT have a static SGT mapped to it or the 802.1X policy will not be deployed. The formatting for the attribute requires converting the decimal value to hex and including a revision version as a dash after (the revision version does not matter and is fine to send back -00. For example this is a tag of 4000:

RADIUS-based assignment of an Adaptive Policy Group

 

Configure Access Policy on switchports

 

  1. On the Dashboard navigate to Switching > Configure > Access Policies.
  2. Select the access policy you want to modify or, to add a new policy, click on the link Add an access policy in the main window, then select my RADIUS server from the drop-down menu for Authentication method.
    Access Policy on switchports using RADIUS
  3. Select the other options, as required. For details on configuring other options of the access policy refer to Creating an Access Policy on Dashboard
  4. Click Save Changes.
  5. Navigate to Switching > Monitor > Switch Ports.
  6. Select the port(s) you would like to apply the access policy to and press the Edit button.
  7. Convert the port type from trunk to access.  Note: you can only apply an Access Policy to an access port.
  8. From the Access Policy drop-down box, select the Access Policy you created and press the Update button.

For more details on client authentication on MS switches, refer to MS Switch Access Policies.
 

Please note that you cannot have static group assignment AND an 802.1x access policy configured on a switchport. If 802.1x is used on the interface, the interface group tag will be grayed out (Configured with default “Unspecified” value). In this case all Access-Accept messages for clients will require an SGT using the below av-pair.

Configure RADIUS server for SGT assignment

 

To assign an SGT value to a client, the RADIUS server would have to include the cts:security-group-tag attribute value pair in the RADIUS Access-Accept message. The syntax for this attribute is as follows.

cisco-av-pair:cts:security-group-tag={SGT value in HEX}-{revision number}​

For example, the following statement would send back an SGT value of 4000 (0x0fa0 in hexadecimal).

cisco-av-pair:cts:security-group-tag=0fa0-00
  • Was this article helpful?