Cisco Identity Services Engine may be used for guest management when paired with Meraki Access Points. Cisco ISE is another option for authorizing users enabling many additional business use cases.
The Meraki APs will pass necessary information over to Cisco ISE using mac based authentication and honor a URL redirect that is received from the Cisco ISE Server. Using CoA the Cisco ISE server can ensure that the correct authorization is applied to the end user devices based on the authentication status.
The following sections of this guide will outline a configuration example with using Cisco ISE as the guest management system which is also hosting the Captive portal.
The Meraki Access Point configuration is outlined below all on the Access Control Page for a particular SSID (Wireless > Configure > Access Control).
Select Mac Based Authentication from the association requirements section of the access control page.
Enter the details for the RADIUS server including the IP address, port, and secret. If using Group Policies select Airspace-ACL-Name for the RADIUS attribute specifying the group policy name. The Airspace-ACL-Name must match the name of one of your group policies configured under Network-wide > Group Policies.
Select Cisco Identity Services Engine (ISE) Captive Portal Authentication in the Splash Page section of the access control page. This setting will honor the cisco custom url-redirect attribute sent from Cisco ISE.
The IP address of the Cisco ISE server needs to be added to the walled garden to ensure that a client will be permitted through the walled garden before being authenticated by the Cisco ISE server.
DNS traffic is permitted by default through the walled garden
The following sections focuses on Cisco ISE 1.3. Configuration may vary based on the version of Cisco ISE. The Cisco ISE configuration details have been sourced from the ISE configuration example by Michal Garcarz and Nicolas Darchis from Cisco TAC (http://www.cisco.com/c/en/us/support...re-ise-00.html).
Navigate to Guest Access > Configure > Guest Portals, and create a new portal type. In this example we are using Self Registered Guest Portal and all splash page settings are left as default. The Portal name configured here will be used in other sections of the configuration outlined in this document. There are a number of customization options that can be configured on the Cisco ISE guest portal but are outside the scope of this document.
On the ISE, the authorization profile must be created. Then, the authentication and authorization policies are configured. The individual Meraki APs should already be configured as a network devices.
Ensure that the ISE accepts all of the MAC authentication from the Meraki AP and make sure it will pursue authentication even if the user is not found.
Under the Policy menu, click Authentication.
The next image shows an example of how to configure the authentication policy rule. In this example, a rule is configured that triggers when MAB is detected.
In order to verify the authorization rules, navigate to Policy > Authorization. In ISE Version 1.3 by default for failed MAC Authentication Bypass (MAB) access (MAC address not found) authentication is continued (not rejected). This is very useful for Guest Portals because there is no need to change anything in default authentication rules.
New users who associate to the Guest SSID are not yet part of any identity group. This is why they match the second rule, which uses the Guest authorization profile to redirect them to the correct Guest Portal.
After a user creates an account and logs in successfully, ISE sends a RADIUS CoA and the WLC performs re-authentication. This time, the first rule is matched along with authorization profile PermitInternet and returns the ACL name that is applied on the WLC
Add the Meraki AP management IPs or subnet as a Network Access Device from Administration > Network Resources > Network Devices.