It is often required for organization to provide access to their employees and devices based on their role and function, even though they connect to the same network. This helps create segmentation, secure network and limit employees from accessing something they should not.


Based on user/devices login credentials, Cisco ISE can return unique authorization policy, which can eventually be enforced through network access devices.

We will look at how to authorize Meraki wireless users based on different AD groups. We will see finance user will not be able to access facebook, any file sharing sites and should not exceed more than 1mbps of wireless bandwidth. IT users will not access any sports or gambling site and should not exceed 2mbps of bandwidth per user.

Overall flow of deployment, involve Employee connecting their personal devices to a secure SSID called “COG_CORP” using their AD credentials. Once connected based on “who”  the user is,  ISE will push name of the group policy to Meraki AP as part of authorization policy. Meraki AP will match the group policy name with the group policy configured locally and enforce that policy on user. Lets see how ts configured


Configure SSID and radius parameters on Meraki dashboard, in this case we have an SSID COG_CORP which requires 802.1X authentication and custom radius server is pointing to ISE.

group based authorization-1

Adding ISE to Meraki dashboard, make sure CoA is enable, although we will not be using CoA heavily in this use case.

Byod with ISE-2

Configure ISE for NAD, radius parameters, make sure the shared secret matches between Meraki and ISE. configure SNMP Probes etc on ISE.

Byod with ISE-4Byod with ISE-5

Configure SNMP settings on ISE as we will be using SNMP probes along with DHCP, HTTP, NMAP, RADIUS to learn about client profiles.Byod with ISE-6Byod with ISE-7Byod with ISE-8

Enable policy set on ISE, policy set adds additional layer of policy segregation and makes policy management easier.

Byod with ISE-9

Integrate AD with ISE and imports user groups, in this case we are particularly concerned about group “enroll”, as users in this group will be able to register their personal devices, this group majorly consists of IT and senior management.

Byod with ISE-10Byod with ISE-11

Finance users has bandwidth limit of 1mbps/user, they are denied access to server, any file sharing application and Facebook.

group based authorization-2

IT users has bandwidth limit of 2mbps/user, they are denied access to any gaming and sports sites

group based authorization-3

Define authorization profile for Finance users, note that Airespace ACL name “FINANCE” on ISE is same as group policy name on Meraki.

group based authorization-4

Define authorization profile for IT users, note that Airespace ACL name “IT” on ISE is same as group policy name on Meraki.

group based authorization-5

Define policy on ISE, authentication policy is generic which covers 802.1X/PEAP, but it can also be uniquely defined only for 802.1X/PEAP if needed. Important thing to note is authorization policy, which points to the authorization results.

group based authorization-6


verifying Finance user on ISE for testing.

group based authorization-7group based authorization-8

Testing with Finance user.

group based authorization-9

Authentication and authorization logs on ISE

group based authorization-10group based authorization-11

Testing authorization enforcement on Finance user, they can access gaming sites but not facebook as per our policy.

group based authorization-12group based authorization-13group based authorization-14

Note the enforcement of 1mbps bandwidth for Finance users.

group based authorization-15

Testing IT user credentials on ISE

group based authorization-16group based authorization-17

Login with IT credentials.

group based authorization-18

ISE authentication and authorization logs

group based authorization-19group based authorization-20

Testing authorization enforcement for IT users. Note IT guys can access facebook but not a gaming site or gambling site.

group based authorization-21group based authorization-22

Note the bandwidth enforcement of 2mbps for IT users, on the same machine, compared to 1mbps for Finance users.

group based authorization-23

I hope you enjoyed reading it as much as I enjoyed writing it.