Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
229
Views
0
Helpful
4
Replies

Cisco ISE, Meraki MX FWs and dynamic VLANS

sdkhy
Level 1
Level 1

‎03-28-2024 08:14 AM

Hi,

Our network only consists of Meraki products and now we are looking at the possibility of implementing 802.1X on wired and using Cisco ISE for that.

Our business is geographically very spread out and we have both large and small branches. Some small branches only have an MX firewall and MR APs so we have a challenge with applying Access policy on MX ports (Not possible in Meraki) unlike an MS switch.

What we want to implement on MX FW ports is Failed Auth VLAN on the devices that fail to authenticate (eg new Windows Autopilot devices). Can we create such a policy in ISE that applies on Failed Auth devices to end up on e.g. VLAN15?

I have set up ISE in a test environment and also one test branch on Meraki network. Some simple rules for testing 802.1x are set up. Devices that can authenticate end up right. Now I want to solve those who can't

I've been looking for useful info but so far I haven't found anything that can help me.

 

 

 

0 Helpful
4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

‎03-28-2024 08:20 AM

what you see the Live Logs on ISE ? (what ISE version ?)

have you look at the guide below :

https://community.cisco.com/t5/security-knowledge-base/how-to-integrate-meraki-networks-with-ise/ta-p/3618650

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

ahollifield
VIP
VIP

‎04-01-2024 04:17 AM - edited ‎04-01-2024 04:17 AM

For that use-case you need an MS.  Dynamic VLAN assignment for MX ports is not possible.

https://community.cisco.com/t5/security-knowledge-base/how-to-integrate-meraki-networks-with-ise/ta-p/3618650

0 Helpful

sdkhy
Level 1
Level 1
In response to ahollifield

‎04-02-2024 03:05 AM

Hi,

When we asked our Cisco account manager, we got the answer that it was possible via ISE. Now you are telling me that it is not possible :).

0 Helpful

Karsten Iwen
VIP
VIP
In response to sdkhy

‎04-02-2024 03:36 AM

You can authenticate the device on the MX ports; 802.1X and MAB are supported. However, the MX will ignore the VLAN that the ISE sends. The MX receives the VLAN ID, which is visible in the event log, but it doesn't act on it—one of the many restrictions of the MX.

0 Helpful
Customers Also Viewed These Support Documents