{"id":5115,"date":"2022-08-17T18:44:00","date_gmt":"2022-08-17T16:44:00","guid":{"rendered":"https:\/\/cyber-fi.net\/?p=5115"},"modified":"2023-10-12T18:19:35","modified_gmt":"2023-10-12T16:19:35","slug":"tuning-the-cisco-ise-for-meraki-networks","status":"publish","type":"post","link":"https:\/\/cyber-fi.net\/index.php\/2022\/08\/17\/tuning-the-cisco-ise-for-meraki-networks\/","title":{"rendered":"Tuning the Cisco ISE for Meraki Networks"},"content":{"rendered":"\n

In general, the Cisco ISE and Meraki devices play nicely together. But when doing 802.1X Authentication, the ISE hides some information and by enabling these, the Logs have a more relevant output.<\/p>\n\n\n\n

Let’s start:<\/p>\n\n\n\n

Vendor Specific Attributes<\/h3>\n\n\n\n

Meraki Devices send four Vendor Specific Attributes (VSA) in the RADIUS requests:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

To show these correctly in the Logs, we need to import a RADIUS-Dictionry into the ISE:<\/p>\n\n\n\n

VENDOR Meraki 29671
BEGIN-VENDOR Meraki
ATTRIBUTE Meraki-Device-Name 1 string BOTH
ATTRIBUTE Meraki-Network-Name 2 string BOTH
ATTRIBUTE Meraki-Ap-Name 3 string BOTH
ATTRIBUTE Meraki-Ap-Tags 4 string BOTH
END-VENDOR Meraki<\/code><\/p>\n\n\n\n

These lines are copied to a file and can be imported into the ISE:<\/p>\n\n\n\n

Policy -> Policy Elements -> Dictionaries -> System -> RADIUS -> RADIUS Vendors<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

After the import, it should look like this:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

<\/p>\n\n\n\n

RADIUS Attributes from RFC7268 “RADIUS Attributes for IEEE 802 Networks”<\/h3>\n\n\n\n

Meraki APs send four Attributes that look like the following in the Log:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Not only the ISE has no knowledge of these RADIUS attributes, Wireshark 3.6.7 also shows them as “Unknown-Attribute”:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

RFC7268 from July 2014 defines them as the following:<\/p>\n\n\n\n

- WLAN-Pairwise-Cipher<\/a>\n- WLAN-Group-Cipher<\/a>\n- WLAN-AKM-Suite<\/a>\n- WLAN-Group-Mgmt-Cipher<\/a>\n\nEDIT: Meraki APs also send the Attribute 177 \"Mobility-Domain-Id\"<\/pre>\n\n\n\n
On the ISE, we can easily change the corresponding “undefined-xyz” attributes to the real names of the attributes:<\/p>\n\n\n\n
Policy -> Policy Elements -> Dictionaries -> System -> RADIUS -> IETF -> undefined-xyz<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
<\/p>\n\n\n\n
And now the ISE-logs are more meaningful:<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
I still have to find out how I can replace the values with the corresponding names:<\/p>\n\n\n\n
00:0f:ac:04 -> CCMP-128<\/p>\n\n\n\n
00:0f:ac:05 -> 802.1X (SHA-256)<\/p>\n\n\n\n
00:0f:ac:06 -> BIP-CMAC-128<\/p>\n\n\n\n
If I figure this out later, or someone has a hint for me, I’ll add it to this blog-post.<\/p>\n\n\n\n
Have fun with your Meraki\/ISE combination!<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"
In general, the Cisco ISE and Meraki devices play nicely together. But when doing 802.1X Authentication, the ISE hides some information and by enabling these, the Logs have a more relevant output. Let’s start: Vendor Specific Attributes Meraki Devices send four Vendor Specific Attributes (VSA) in the RADIUS requests: To show these correctly in the <\/p>\n
continue reading<\/a><\/div>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"twitterCardType":"","cardImageID":0,"cardImage":"","cardTitle":"","cardDesc":"","cardImageAlt":"","cardPlayer":"","cardPlayerWidth":0,"cardPlayerHeight":0,"cardPlayerStream":"","cardPlayerCodec":"","footnotes":""},"categories":[5,705,7],"tags":[709,137,696,690],"class_list":["post-5115","post","type-post","status-publish","format-standard","hentry","category-cisco","category-meraki","category-cisco-security","tag-802-1x","tag-cisco","tag-ise","tag-meraki"],"_links":{"self":[{"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/posts\/5115","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/comments?post=5115"}],"version-history":[{"count":4,"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/posts\/5115\/revisions"}],"predecessor-version":[{"id":5341,"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/posts\/5115\/revisions\/5341"}],"wp:attachment":[{"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/media?parent=5115"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/categories?post=5115"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/tags?post=5115"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}