Skip to main content
Cisco Meraki Documentation

Adaptive Policy MR Configuration Guide


Adaptive Policy requires a number of configurations across the stack however this document will cover only the MR aspects of the feature enablement process.

For details on how to configure Adaptive Policy in your Dashboard Organization, refer to the Adaptive Policy Configuration Guide. To understand how Adaptive Policy works in a Meraki Dashboard Organization, please refer to the Adaptive Policy Overview document.

Use Case 

Classification of endpoints for context sharing between network devices:

  • Static tagging of client traffic to specific SGTs based on SSID

  • Dynamic tagging of clients based on RADIUS AV-Pair response

Policy enforcement:

  • Micro-segmentation between clients on the same AP and separate access points in the same Adaptive Policy domain


Please refer to the overview document Adaptive Policy Requirements section found here

MR safe-guarding and MS port configuration requirement

The nature of adaptive policy and inline SGT tagging is that adding an encapsulation layer can make or break connectivity for an AP or switch’s management traffic. Access points especially could easily be stranded if tagging was enabled and the down-stream switch did not support the encapsulation. To avoid this scenario there is a fail-safe built into the access points. Upon a link-up event ( By going to Network-wide > Event Log  then filter for Adaptive Policy state change ) if the access point does NOT receive Cisco MetaData (CMD) encapsulated traffic for a set number of frames, the AP will completely disable tagging until tagging is enabled on the connected switch and encapsulation is observed on the incoming frames. An event log is generated with the following content:

Event log for access points for adaptive policy


The valid port configuration for MR to enable adaptive policy when connected to a supported MS are the following:

valid port configuration for MR

If the supported MS interface is not configured to perform SGT encapsulation (CMD) via the Peer SGT Capable configuration being enabled, the access point will disable the feature on that specific AP and produce an error message. If the attached switch is a TrustSec capable catalyst switch please review the following article: IOS-XE Trunk Port Configuration

Configuration for Static Group Assignment 

If Adaptive Policy is enabled on the network, applying a static tag to an SSID is configured under Wireless > Access Control > RADIUS > Adaptive Policy Group

Adaptive Policy option under RADIUS


In this menu, you can select any of the groups configured under Organization > Configure > Adaptive policy > Groups.

Once this is configured, all clients attached to the SSID will be tagged with the specified tag** 

**unless the SSID is configured for RADIUS and the RADIUS server sends back a specific tag as explained below.

**Tagging is only supported on Bridge Mode and NAT mode at this time.

Configuration for RADIUS assignment

SSIDs configured to use a RADIUS server to authenticate users for the following methods can dynamically override the default group tag assigned:

  • Open with MAC-Authentication
  • WPA1/2/3-Enterprise with Custom RADIUS

The RADIUS attribute value pair (av-pair) uses the Cisco SGT AV-Pair of: 

cisco-av-pair:cts:security-group-tag={SGT value in HEX}-{revision number}​
This example sends back an SGT of 4000

The RADIUS assignment of group tags is done per-session and to operate will require the av-pair in every access-accept for the client.


  • Was this article helpful?