Skip to main content

 

Cisco Meraki Documentation

Adaptive Policy MR Configuration Guide

Overview 

Adaptive Policy requires a number of configurations across the stack however this document will cover only the MR aspects of the feature enablement process.

For details on how to configure Adaptive Policy in your Dashboard Organization, refer to the Adaptive Policy Configuration Guide. To understand how Adaptive Policy works in a Meraki Dashboard Organization, please refer to the Adaptive Policy Overview document.

Meraki APs use Security Group Tag (SGT) 2, designated as the "Infrastructure group", to tag traffic from their management interface and for Dashboard communication when Adaptive Policy is enabled.

Use Case 

Classification of endpoints for context sharing between network devices:

  • Static tagging of client traffic to specific SGTs based on SSID

  • Dynamic tagging of clients based on RADIUS AV-Pair response

Policy enforcement:

  • Micro-segmentation between clients on the same AP and separate access points in the same Adaptive Policy domain.

Requirements

Please refer to the overview document Adaptive Policy Requirements section found here.

MR safe-guarding and MS port configuration requirement

The nature of adaptive policy and inline SGT tagging is that adding an encapsulation layer can make or break connectivity for an AP or switch’s management traffic. Access points especially could easily be stranded if tagging was enabled and the down-stream switch did not support the encapsulation. To avoid this scenario there is a fail-safe built into the access points. Upon a link-up event ( By going to Network-wide > Event Log  then filter for Adaptive Policy state change ) if the access point does NOT receive Cisco MetaData (CMD) encapsulated traffic for a set number of frames, the AP will completely disable tagging until tagging is enabled on the connected switch and encapsulation is observed on the incoming frames. An event log is generated with the following content:

Event log for access points for adaptive policy

The valid port configuration for MR to enable adaptive policy when connected to a supported MS are the following:

valid port configuration for MR

If the supported MS interface is not configured to perform SGT encapsulation (CMD) via the Peer SGT Capable configuration being enabled, the access point will disable the feature on that specific AP and produce an error message. If the attached switch is a TrustSec capable catalyst switch please review the following article: IOS-XE Trunk Port Configuration

Configuration for Static Group Assignment 

If Adaptive Policy is enabled on the network, applying a static tag to an SSID is configured under Wireless > Access Control > RADIUS > Adaptive Policy Group
 

Adaptive Policy option under RADIUS

 

In this menu, you can select any of the groups configured under Organization > Configure > Adaptive policy > Groups.

Once this is configured, all clients attached to the SSID will be tagged with the specified tag** 

**unless the SSID is configured for RADIUS and the RADIUS server sends back a specific tag as explained below.

**Tagging is only supported on Bridge Mode and NAT mode at this time.

Configuration for RADIUS assignment

SSIDs configured to use a RADIUS server to authenticate users for the following methods can dynamically override the default group tag assigned:

  • Open with MAC-Authentication
  • WPA1/2/3-Enterprise with Custom RADIUS
  • iPSK w/RADIUS

The RADIUS attribute value pair (av-pair) uses the Cisco SGT AV-Pair of: 

cisco-av-pair:cts:security-group-tag={SGT value in HEX}-{revision number}​
EXAMPLE:
cisco-av-pair:cts:security-group-tag=0fa0-00
This example sends back an SGT of 4000

The RADIUS assignment of group tags is done per-session and to operate will require the av-pair in every access-accept for the client.

Configuration for Group policy-based SGT assignment

Networks that want to apply ACL to a group outbound rather than inbound without creating a separate adaptive policy group since that would involve managing two sets of clients. With MR31.1 administrators are able to assign an SGT based on the group policy to effectively apply outbound policies based on the SGT group without managing two sets of clients.

Note: Only 1 SGT can be assigned per group policy.

  1. Navigate Network-Wide -> Group Policies-> Wireless Only,

  2. Select Assign SGT upon creation of a group or editing of a group.

Screenshot showing the network-wide configuration options for adaptive policy for wireless SSIDs

Prioritization of SGT assignment is as follows:

Highest priority

  1. Group policy

  2. RADIUS

  3. Port

  4. VAP

  5. VLAN

  6. Unknown

Lowest priority 

Group policy has the highest priority when applied statically through dashboard. 

Security Group Tag Roaming 
Security Group Tags assigned through RADIUS are preserved when clients roam between MRs via wired or wireless connections. The SGT per group is present in both the source and target AP. When the client roams from the source to the target, it will look up its group name and apply the per-group policy.

  • Was this article helpful?