Cisco Identity Services Engine may be used for device posturing when paired with Meraki Access Points. Cisco ISE is another option for posturing devices enabling many additional business use cases.
The Meraki APs will pass necessary information over to Cisco ISE using 802.1x RADIUS and honor a URL redirect that is received from the Cisco ISE Server. Using CoA the Cisco ISE server can instruct the device to reauthenticate if authentication status changes after the device posturing is complete.
This posturing mechanism allows devices to be placed on a secure provisioning vlan while they are postured. After the posturing is complete, the device can be reauthenticated and placed on the corporate network upon being profiled.
The following sections of this guide will outline a configuration example with using Cisco ISE as the posturing system which is also hosting the Captive portal for posturing.
The Meraki Access Point configuration is outlined below all on the Access Control Page for a particular SSID (Wireless > Configure > Access Control).
Select WPA2-Enterprise Authentication from the association requirements section of the access control page.
Enter the details for the RADIUS server including the IP address, port, and secret. If using dynamic group policies select Airspace-ACL-Name for the RADIUS attribute specifying group policy name.
Select Cisco Identity Services Engine (ISE) Captive Portal Authentication in the Splash Page section of the access control page. This setting will honor the cisco custom url-redirect attribute sent from Cisco ISE.
If the option to configure ISE is not available, please contact Meraki Support to have the feature enabled.
The IP address of the Cisco ISE server needs to be added to the walled garden to ensure that a client will be permitted through the walled garden before being authenticated by the Cisco ISE server.
DNS traffic is permitted by default through the walled garden
The following sections focuses on Cisco ISE 1.3. Configuration may vary based on the version of Cisco ISE.
Navigate to Administration > Identity Managment > Identities, and click on the users folder. Create two new users (employee & contractor) using the Add button.
New user Screen
User list after both users have been added
On the ISE, the authorization profile must be created. Then, the authentication and authorization policies are configured. The individual Meraki APs should already be configured as a network devices.
Ensure that the ISE accepts all of the 802.1X authentication from the Meraki AP and make sure it will drop authentication even if the user is not found.
Under the Policy menu, click Authentication.
The next image shows an example of how to configure the authentication policy rule. In this example, a rule is configured that triggers when 802.1X is detected.
The ISE needs to be configured as probes to effectively profile endpoints. By default, these options are disabled. This section shows how to configure ISE to be probes.
From the Edit Node page, select the Profiling Configuration and configure the following:
DHCP: Enabled, All (or default)
DHCPSPAN: Enabled, All (or default)
HTTP: Enabled, All (or default)
RADIUS: Enabled, N/A
DNS: Enabled, N/A
Out of the box, ISE provides a library of various endpoint profiles. Complete these steps in order to enable profiles for devices:
For this example we are enabling Identity Group Creation for the following profiles:
The screenshot below shows how to enable the Identity Group creation for OS X Workstations
In order to verify the authorization rules, navigate to Policy > Authorization.
Users who associate to the SSID may have been profiled and match one of the defined profiled device types will either use the Employee_Access or Contractor_Access authorization profiles based on the Internal User that is loggin in via 802.1X.
Users who associate to the SSID may not have been profiled yet. This is why they match the third rule, which uses the Posture_Remediation authorization profile to redirect them to the Posture Portal.
Add the Meraki AP management IPs or subnet as a Network Access Device from Administration > Network Resources > Network Devices.