Security

 View Only
Expand all | Collapse all

Clearpass and Meraki

This thread has been viewed 32 times
  • 1.  Clearpass and Meraki

    Posted Oct 17, 2016 01:45 AM

    Hi all

     

    I have a network build with meraki access points supported by clearpass policy server.

     

    I got guest and 802.1X working, 

    Last week meraki added CoA to the radius settings.

    I would like to use this in my posturing but can not figger out how to add the meraki radius attributes.

     

    Does somebody have any pointers?



  • 2.  RE: Clearpass and Meraki

    Posted Dec 01, 2016 01:56 PM

    I have the exact same problem.  I have the Meraki SSID using WPA2-Enterprise against Clearpass Policy Manager.  Based on the criteria and AD groups clearpass sends back the correct Filter-ID in the radius accept message, that will dynamically aply the appropriate Meraki security policy.  However, I am struggling to figure out how I can change the security policy after CPPM and the OnGuard agent finish their checks.  Any feedback on how to do this?



  • 3.  RE: Clearpass and Meraki

    Posted Apr 05, 2017 10:11 PM

    What do you want to use a change of authorization to do exactly? Based on Meraki Documentation, you can only do reauthenticate and disconnect request.  If you need to send radius attributes you can setup an enforcement profile to handle the specific criteria.  For example, I am using radius private-tunnel-id to set the vlan based on user or machine auth.  

     

    Hope that helps. 



  • 4.  RE: Clearpass and Meraki

    Posted May 08, 2017 04:49 PM

    I am new to Clearpass, and i am trying to setup something similiar to yours.  Is their documentation you followed to set this up with Meraki?  Thanks



  • 5.  RE: Clearpass and Meraki

    Posted May 10, 2017 03:37 PM
      |   view attached

    Brad-  Can you tell me what you are looking to do? 

    If you are setting up api calls I will be working on documenting the process.  I will most likely share that with Meraki so they can add it to their documentation. 

    If you just need to tag a vlan you can us an enforcement profile.  It is all radius ietf settings.

     

     



  • 6.  RE: Clearpass and Meraki

    Posted May 10, 2017 03:51 PM

    As of right now we are just wanting to implement a simple service where, any new device cannot connect to the Network untill we mark it as a known device.  All Unknown and disabled devices will not be able to connect.  So users will authenticate against the local user Repository, then their device will need to be known.  I believe i have this working now with The local user repository as the Authentication Soruce, the Endpoint Repository as the Authorization source and then Enforcment Policy rules For Unknown and Disabled Devices set to the Deny Access Profile.  Not sure if this is the best way to accomplish it, but it seems to be working.



  • 7.  RE: Clearpass and Meraki

    Posted May 15, 2017 04:27 PM

    Are you profiling endpoints?  That may be the easiest way to get them in the endpoints database.  Basic idea is to enable profiling and point an ip-helper to the ClearPass server. That will start profiling any device doing DHCP. 



  • 8.  RE: Clearpass and Meraki

    Posted Sep 05, 2017 05:28 AM

    Hi,

     

    Do you know if I can enforce dynamic url-redirect to a remediation quarantine captive portal in case there is an 'unhealty status' result for a posture check (either persitent or dissolvable agent)?



  • 9.  RE: Clearpass and Meraki

    Posted Sep 05, 2017 07:14 AM
    Yes. The standard Cisco url-redirect can be used.


  • 10.  RE: Clearpass and Meraki

    Posted Sep 19, 2017 09:30 AM

    We're working to use Clearpass with Meraki and cannot seem to get the service working.  Basically, we have 2 SSID's that require authentication, we want to limit devices owned by our institution to connect to a specific SSID.  Our Meraki devices assign the VLAN, so is it possible that the 802.1x request includes the SSID + device is in the repository + valid credential would allow the person to connect?

     

    We've been using Clearpass for NAC in labs but would like to consolidate all our RADIUS to Clearpass.



  • 11.  RE: Clearpass and Meraki

    Posted Sep 19, 2017 09:37 AM

    What EAP methods are you using?

    What is the authoritative source of information for corporate vs personal?



  • 12.  RE: Clearpass and Meraki

    Posted Sep 19, 2017 09:45 AM

    EAP-PEAP

    MSCHAP2

     

    Personal devices are not members of the domain whereas corporate devices are.  We verify who they are with AD credentials and domain membership.

     

    Thank you



  • 13.  RE: Clearpass and Meraki

    Posted Sep 19, 2017 09:55 AM

    I assume machine auth? 



  • 14.  RE: Clearpass and Meraki

    Posted Sep 19, 2017 09:52 AM

    What service rules do you have set?  



  • 15.  RE: Clearpass and Meraki

    Posted Sep 19, 2017 11:26 AM

    Using policy simulation I set this:

     

    Radius:IEFT - Called-Station-ID = <SSID>

     

    Which allows me to successfully test.  Roles and enforcement seem unnecessary in my scenario.  I need the RADIUS request to send the SSID, username + password for authentication, the host marked as known in the endpoint repository then Meraki would supply the VLAN and IP address.

     

    I'm guessing it's not that simple and maybe a support case is needed.

     

    Thank you



  • 16.  RE: Clearpass and Meraki

    Posted Sep 19, 2017 11:32 AM

    You using 2 ssids correct?  Why do you need 2?  

    For instance I have 1 ssid that serves 2 vlans. Machine auth (vlan1) and user auth (vlan2).  

     

    Are you full stack meraki or just aps?



  • 17.  RE: Clearpass and Meraki

    Posted Sep 19, 2017 11:42 AM

    Just Meraki AP's, Cisco switches.

     

    We have two SSID's one for student one for faculty/staff.  We assign each a unique VLAN.  We have to separate them because we have some services staff need students should not access.

     

    Do Meraki AP's need to be profiled in Clearpass?



  • 18.  RE: Clearpass and Meraki

    Posted Sep 19, 2017 11:47 AM

    You can assign VLANs in the radius response if you want that way you don't need 2 SSIDs.  Assume you have ACL between the 2 vlans? 

     

    Or you can assign users to group policies and set the firewall in the policy to limit the students.

     

    Or you can use the contains not = in the service rule as stated before. 

     



  • 19.  RE: Clearpass and Meraki

    Posted Sep 19, 2017 11:35 AM

    I think I found the issue.  

     

    Radius:IETF:Called-Station-Id contains (SSID)

    not equals.  

     

    Called-Station-Id returns the MAC of the AP so you won't match unless you have that included.  Contains will match on any part.