Group Based Authorization for Meraki Wireless with ISE

INTRODUCTION

It is often required for organization to provide access to their employees and devices based on their role and function, even though they connect to the same network. This helps create segmentation, secure network and limit employees from accessing something they should not.

CONCEPT

Based on user/devices login credentials, Cisco ISE can return unique authorization policy, which can eventually be enforced through network access devices.

We will look at how to authorize Meraki wireless users based on different AD groups. We will see finance user will not be able to access facebook, any file sharing sites and should not exceed more than 1mbps of wireless bandwidth. IT users will not access any sports or gambling site and should not exceed 2mbps of bandwidth per user.

Overall flow of deployment, involve Employee connecting their personal devices to a secure SSID called “COG_CORP” using their AD credentials. Once connected based on “who”  the user is,  ISE will push name of the group policy to Meraki AP as part of authorization policy. Meraki AP will match the group policy name with the group policy configured locally and enforce that policy on user. Lets see how ts configured

CONFIGURATION

Configure SSID and radius parameters on Meraki dashboard, in this case we have an SSID COG_CORP which requires 802.1X authentication and custom radius server is pointing to ISE.

Adding ISE to Meraki dashboard, make sure CoA is enable, although we will not be using CoA heavily in this use case.

Configure ISE for NAD, radius parameters, make sure the shared secret matches between Meraki and ISE. configure SNMP Probes etc on ISE.

Configure SNMP settings on ISE as we will be using SNMP probes along with DHCP, HTTP, NMAP, RADIUS to learn about client profiles.

Enable policy set on ISE, policy set adds additional layer of policy segregation and makes policy management easier.

Integrate AD with ISE and imports user groups, in this case we are particularly concerned about group “enroll”, as users in this group will be able to register their personal devices, this group majorly consists of IT and senior management.

Finance users has bandwidth limit of 1mbps/user, they are denied access to server 192.168.129.1, any file sharing application and Facebook.

IT users has bandwidth limit of 2mbps/user, they are denied access to any gaming and sports sites

Define authorization profile for Finance users, note that Airespace ACL name “FINANCE” on ISE is same as group policy name on Meraki.

Define authorization profile for IT users, note that Airespace ACL name “IT” on ISE is same as group policy name on Meraki.

Define policy on ISE, authentication policy is generic which covers 802.1X/PEAP, but it can also be uniquely defined only for 802.1X/PEAP if needed. Important thing to note is authorization policy, which points to the authorization results.

TESTING

verifying Finance user on ISE for testing.

Testing with Finance user.

Authentication and authorization logs on ISE

Testing authorization enforcement on Finance user, they can access gaming sites but not facebook as per our policy.

Note the enforcement of 1mbps bandwidth for Finance users.

Testing IT user credentials on ISE

Login with IT credentials.

ISE authentication and authorization logs

Testing authorization enforcement for IT users. Note IT guys can access facebook but not a gaming site or gambling site.

Note the bandwidth enforcement of 2mbps for IT users, on the same machine, compared to 1mbps for Finance users.

I hope you enjoyed reading it as much as I enjoyed writing it.