Put your untrusted clients on ISE

Source: Meraki-Cisco

The last decade has seen a drastic increase in the number of network-connected devices.  Because of this, it has become more and more difficult for administrators to manage access, security, and traffic policies for all of the clients in their networks.  As with a lot of other IT challenges, the key to solving this problem lies in automation – removing as much of the manual work as possible by creating ways to dynamically and intelligently assign policies to clients.  One of the most effective ways to accomplish this is through a technology known as Change of Authorization (CoA).

At the most basic level, CoA is just a mechanism for changing the policy of an already-connected client.  While that might sound pretty simple, there are actually a variety of ways that CoA can be used to solve complex problems in a wireless network.  For example, you might want clients to have different levels of network access based on the current security status of the device, often referred to as its “security posture”.  A device’s posture includes things like whether it has up-to-date antivirus and anti-spyware software installed, whether the latest operating system security patches are installed, or even whether a certain application is installed on the device. Using CoA, you can send information from Cisco’s Identity Services Engine (ISE) or similar solutions to a Cisco Meraki AP informing it of any changes to a device’s posture.  The AP can then apply the appropriate policy to that client, even if it is already connected.  You can also leverage ISE to perform Central Web Authentication (CWA) in order to implement automatic authentication and policy application for guest users.

Like all Cisco Meraki features, we took care to ensure that CoA is simple to implement.  For administrators who wish to use Cisco ISE as their RADIUS and CoA server, it’s as easy as navigating to the Wireless>Access Control page and selecting ‘WPA2-Enterprise with my RADIUS server’ in the Association requirements section, and ‘Cisco Identity Services Engine (ISE) Authentication’ in the Splash page section.

Screen Shot 2016-04-26 at 10.21.22 AM

Add your ISE server information under RADIUS servers, and you’re good to go!  Your APs will now redirect users to the ISE web portal for authentication when they connect, and will respond to CoA messages sent by the ISE server.

For other popular solutions like PacketFence, the process is just as easy.  Instead of selecting ISE Authentication from the Splash page options, set RADIUS CoA support to ‘RADIUS CoA enabled’ in the RADIUS server options on the same page.

Screen Shot 2016-04-26 at 10.21.27 AM

The AP will now respond to CoA messages sent by the RADIUS server.

These features are currently in open beta.  If you want to try them out, you can reach out to our Support team or to your Cisco Meraki Systems Engineer to join the beta.  For more information on configuring CoA on Cisco Meraki MR access points or to learn more about this feature, check out our documentation.


Put your untrusted clients on ISE