Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5755
Views
5
Helpful
5
Replies

802.1x and Dynamic VLAN deployment for Cisco ISE and Meraki Access Points

Go to solution
SaintEvn
Level 1
Level 1

‎06-21-2021 03:10 AM - edited ‎06-21-2021 03:11 AM

Hi all,

We’ve deployed Cisco ISE in our DC and we planned to control 802.1x wireless access from branch sites. We’ve already configured VPN tunnel between DC and Branches.  We would like to configure Dynamic VLAN assignment to the client PCs on branch sites, i.e., we’ve only one SSID and users from different user groups will be assigned to different VLAN when connected to Wi-Fi.

As we are using Meraki Wireless APs on branch sites, it is possible to use dynamic VLAN assignment feature with Cisco ISE?

As for now, we already configure dynamic VLAN feature in our environment, but some endpoints did not get IP assigned although it passed authentication and authorization.

Thank You!

0 Helpful
1 Accepted Solution

Accepted Solutions
5 Replies 5

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎06-21-2021 04:30 AM

I do not believe this solution works, since you have only 1 SSID, that is associated with VLAN aleady.

 

But with ISE profiling, based on the user Group you can setup the Security profile, what user / end device can access the resources.

 

As for now, we already configure dynamic VLAN feature in our environment, but some endpoints did not get IP assigned although it passed authentication and authorization.

is this wired or wireless ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
SaintEvn
Level 1
Level 1

‎06-21-2021 06:28 AM

Dynamic VLAN feature is supported with Cisco WLC right? But with Cisco Meraki , it cannot be work ?

But right now only some endpoints can't get IP address while most endpoints are working Ok. And there is no VLAN tagging enable for SSID at this moment.

We planned to enable 802.1x only for Wireless network. 

If this is not a proper solution , we'll deploy with different SSID then.

0 Helpful

Go to solution
Ping Zhou
Level 8
Level 8
In response to SaintEvn

‎06-29-2021 10:38 PM

Have you tried Group Policy with Filter ID or Airespace ACL?

Depends on your AuthZ conditions, you probably can assign different Group Policies to different AuthZ Profiles, each has different Group Policy associated with different VLAN ID. 

Here are the docs for your reference. https://documentation.meraki.com/MR/Group_Policies_and_Block_Lists/Using_RADIUS_Attributes_to_Apply_Group_Policies 

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Creating_and_Applying_Group_Policies 

Basically you create the several Group Policies with different VLANs on Meraki Dashboard, then creat corresponding AuthZ Profiles on ISE which call the names of the Group Policies.

 

HTH

0 Helpful

Go to solution
thomas
Cisco Employee
Cisco Employee

‎06-27-2021 05:04 PM

Typically your WLAN SSID is associated with a specific VLAN, regardless of the wireless product.

 

Cisco AireOS WLC with a specific Interface Group mapping to a VLAN:

image.png  image.png

 

And in Meraki APs for a given SSID:

image.png

0 Helpful
Customers Also Viewed These Support Documents