ISE 1.2 & AD & Meraki - Per User Group Policy ?

I am working on a PoC for a deployment in an MDU. We are using Meraki switches and access points. There are 250 units in the building, each unit will have it's own subnet. The goal is to have the tenant be able to connect to a common building SSID and be placed into their assigned VLAN. There will also be physical ports in each unit that will need to do the same. I am trying to figure out a way to use ISE to authorize on a per user basis and not based on groups of users. On the Meraki system there are group policies that will assign the VLAN for the user as well as any type of layer 7 firewalling and bandwidth control. So there will be 250 group policies, one for each unit. There is a deployment guide that shows how to setup ISE for use with Meraki and it is great but it assumes that there will be large groups like Employees, Contractors, etc.. that will be used. This is where I'm being tripped up, also... this is my first swing at a NAC deployment so I have a lot to learn.
1.Can I setup each user in Active Directory to have a tag that ISE can then forward on to Meraki for the group policy? Say it's unit 101 and I have a group policy called 101 in Meraki, Meraki documentation says to use the Airespace-ACL-Name attribute in ISE to indicate the group policy to use. This gives me the ability to place a group into that policy but not an individual. Or would this be better done by creating the users in ISE directly? Omit AD entirely?
2. Each unit will have devices that will need MAB because they are not 802.1x compatible. I need to do the same as above with them. I would create a separate SSID for these devices but then use the MAC address to authenticate them but will need to authorize them to go into a specific group policy.
I know this isn't a typical ISE application but I think that this will work really well in the end, just need to iron out these details and get a test system functioning. Any help would be greatly appreciated!!!
Thanks,
Nathan

Please find the Meraki_ISE integration doc. in attachment.
When VLAN tagging is configured per user, multiple users can be associated to the same SSID, but their traffic is tagged with different VLAN IDs. This configuration is achieved by authenticating wireless devices or users against a customer-premise RADIUS server, which can return RADIUS attributes that convey the VLAN ID that should be assigned to a particular user’s traffic.
In order to perform per-user VLAN tagging, a RADIUS server must be used with one of the following settings:
MAC-based access control (no encryption)
WPA2-Enterprise with 802.1x authentication
A per-user VLAN tag can be applied in 3 different ways:
The RADIUS server returns a Tunnel-Private-Group-ID attribute in the Access-Accept message, which specifies the VLAN ID that should be applied to the wireless user. This VLAN ID could override whatever may be configured in the MCC (which could be no VLAN tagging, or a per-SSID VLAN tag). To have this VLAN ID take effect, “RADIUS override” must be set to “RADIUS response can override VLAN tag” under the Configure tab on the Access Control page in the “VLAN setup” section.
The RADIUS server returns a group policy attribute (e.g., Filter-ID) in the Access-Accept message. The group policy attribute specifies a group policy that should be applied to the wireless user, overriding the policy configured on the SSID itself. If the group policy includes a VLAN ID, the group policy’s VLAN ID will be applied to the user.
On the Client Details page, a client can be manually assigned a group policy. If the group policy includes a VLAN ID, the group policy’s VLAN ID will be applied to the user. 

Similar Messages

  • "Make proxy settings per-machine (rather than per user)" Group Policy setting not applied until login as a local Administrator

    We want to deploy to all our desktop the pac file to configure proxy. We have a Windows 2008 R2 server, and i've enabled the GPO "Make proxy settings per-machine (rather than per user)", and i've add a registry key AutoConfigURL in "HKLM\Software\Microsoft\Windows\Current
    Version\Internet Settings" with the pac file link.
    I've tested on my pc, and all was configured without any problem. I've try to login to my computer with another user (without admin rights) and the automatic configuration proxy was compiled and not modificable. It's seems that all works.
    But, our users are not local admin, so i've tried to deploy the GPO in a collegue computer. I've forced the update of GPO, checked on registry that all new keys are added, and i've reboot the pc. When i've check on IE settings, autoconfig URL was empty and
    grey. I'm disconnected from user and i've login to the pc with a local admin. With my surprise, the IE settings was compiled. When i'm come bac to the user profile the IE settings was compiled and not modificable.
    The problem is: i've over 750 users in 3 countries, and i don't want grant them the local admin permissions. How can i configure proxy settings via GPO without login to every machine at least one time?

    > have a Windows 2008 R2 server, and i've enabled the GPO "Make proxy
    > settings per-machine (rather than per user)", and i've add a registry
    > key AutoConfigURL in "HKLM\Software\Microsoft\Windows\Current
    > Version\Internet Settings" with the pac file link.
    In the past, we experienced various issues with machine proxy settings,
    so we don't use them anymore. The simple approach:
    Block access to the connections page through ADM template settings and
    deploy the proxy through GPP Internet Settings.
    This is what we do (with a pac file, too), and it works well :)
    Martin
    Mal ein
    GUTES Buch über GPOs lesen?
    NO THEY ARE NOT EVIL, if you know what you are doing:
    Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))

  • Selective LOV per User/Group

    Hi Guys,
    Just would like to ask if there's a way on how to limit or only show a selected number of LOVs per User?  For example,
    I have a parameter for Country and I have 2 Users... User1 should only see let's say China, Japan and Korea, while User2
    should be able to see all countries..
    Kind  Regards and Many Thanks,
    Mark

    I am facing the Same Issue. I implemented Dynamic LOV and published the CR into BOE. But when user runs the report he/she see all the avilable LOVs.  But we need only Selective LOV per User/Group.
    Please suggest me where can I use the Current CE User function becuase we are already using security table in Crystal Reports.
    Thanks
    Reddy

  • Per user QoS Policy in ASA

    is there a way to configure per user QoS Policy in ASA?
    I need this because to configure ssl vpn users to have different bandwidth

    Hi,
    Please can you explain me how "per SSL VPN group basis" is going to work.
    For my requirement that per group policy is also OK. Then it is needed to configure bandwidth limiters per group policy.
    thanks & regards
    Chandana

  • OU Group Policy over-riding User Group Policy

    I'm using ZfD 4.01 ir7 and have a restrictive Group Policy applied at the
    OU level. I've created a less restrictive Group Policy and assigned it to
    a user within the above mentioned OU but the settings are not
    taking...the OU Group Policy is over-riding the user Group Policy. The
    appropriate rights have been assigned and this configuration is working
    for other users/OUs in the tree. I've run a dsrepair against this
    partition and no errors were reported.
    Any suggestions to resolve this would be greatly appreciated.
    Ryan

    Paulr,
    It appears that in the past few days you have not received a response to your posting. That concerns us, and has triggered this automated reply.
    Has your problem been resolved? If not, you might try one of the following options:
    - Do a search of our knowledgebase at http://support.novell.com/search/kb_index.jsp
    - Check all of the other support tools and options available at http://support.novell.com in both the "free product support" and "paid product support" drop down boxes.
    - You could also try posting your message again. Make sure it is posted in the correct newsgroup. (http://support.novell.com/forums)
    If this is a reply to a duplicate posting, please ignore and accept our apologies and rest assured we will issue a stern reprimand to our posting bot.
    Good luck!
    Your Novell Product Support Forums Team
    http://support.novell.com/forums/

  • User group policy turns "display last user" to "ON"

    Hello to all,
    I distribute a simple local user group policy to turn off the "Action Center" at the System tray.
    Every time I do this, the "last...

    Search policy includes groups.
    User is only in one group.
    Still the same problem.
    The tree is very simple, one O and one OU. All policies and users are in
    the OU.
    Ian
    "Ian Russell" <[email protected]> wrote in message
    news:hn_Tc.3065$[email protected]..
    > Hi Craig,
    >
    > I will check that out. It may be the multiple group membership that is
    > causing the problem....
    >
    > "Craig Wilson" <[email protected]> wrote in message
    > news:[email protected]..
    > > 1) Check to make sure you have a search policy defined and that search
    > policy
    > > includes groups.
    > >
    > > 2) Make sure that ONE and only ONE group a user is assigned to has a
    > policy
    > > assigned. Multiple Group Memberships that contain policies will result
    in
    > > seemingly random results. Due to the complex nature of events when
    users
    > belong
    > > to multiple groups that contain policies, Novell actually recommends
    > against the
    > > use of policies for groups. It can be done, but just be sure the limit
    is
    > > maintained.
    > >
    > > Ian Russell wrote:
    > >
    > > > Hi,
    > > > I have ZfD3.2 (SP3) on a NW 6.0 (SP5) server. The user group policy
    does
    > not
    > > > get applied to members of a NetWare group. If I apply it to a user
    > object it
    > > > works.
    > > > Any ideas?
    > > > Ian
    > >
    > > --
    > > Craig Wilson
    > > CNE3, 4, 5 - MCSE - CCNA
    > > NSC Sysop (http://support.novell.com/forums/)
    > >
    > > Tech Writer - http://www.ithowto.com
    > > (I Peter 4:10)
    > >
    > >
    >
    >

  • ISE / Active Directory: issue to get users group

    Hello,
    We have a strange issue:
    - ISE 1.2 patch 8
    - no WLC, autonomous AP
    In authentication, we check Wireless IEEE 802.11 (radius) and cisco-av-pair (ssid), then we use AD.
    We have 3 SSIDs, so 3 rules, one DATA, one GUEST, one for TOIP.
    In one more rules to grant authentication from APs to register in WDS: user in local database.
    In authorization, we check cisco-av-pair (ssid) and AD user group, then we permit access.
    (so 3 rules), and one more to authorise the internal base for WDS.
    We have something strange:
    - sometimes users can connect but later they can't: in the logs, the authorization rejects the user because the AD Group is not seen.
    Exemple:
    1- OK:
    Authentication Details
    Source Timestamp
    2014-05-15 11:43:19.064
    Received Timestamp
    2014-05-15 11:43:19.065
    Policy Server
    radius
    Event
    5200 Authentication succeeded 
    All the GROUPS of user are seen:
    false
    AD ExternalGroups
    xx/users/admexch
    AD ExternalGroups
    xx/users/glkdp
    AD ExternalGroups
    x/users/gl revue écriture
    AD ExternalGroups
    xx/users/pcanywhere
    AD ExternalGroups
    xx/users/wifidata
    AD ExternalGroups
    xx/informatique/campus/destinataires/aa informatique
    AD ExternalGroups
    xx/informatique/campus/destinataires/aa entreprises et cités
    AD ExternalGroups
    xx/informatique/campus/destinataires/aa campus
    AD ExternalGroups
    xx/users/aiga_creches
    AD ExternalGroups
    xx/users/admins du domaine
    AD ExternalGroups
    xx/users/utilisa. du domaine
    AD ExternalGroups
    xx/users/groupe de réplication dont le mot de passe rodc est refusé
    AD ExternalGroups
    xx/microsoft exchange security groups/exchange view-only administrators
    AD ExternalGroups
    xx/microsoft exchange security groups/exchange public folder administrators
    AD ExternalGroups
    xx/users/certsvc_dcom_access
    AD ExternalGroups
    xx/builtin/administrateurs
    AD ExternalGroups
    xx/builtin/utilisateurs
    AD ExternalGroups
    xx/builtin/opérateurs de compte
    AD ExternalGroups
    xx/builtin/opérateurs de serveur
    AD ExternalGroups
    xx/builtin/utilisateurs du bureau à distance
    AD ExternalGroups
    xx/builtin/accès dcom service de certificats
    RADIUS Username
    xx\cennelin
    Device IP Address
    172.25.2.87
    Called-Station-ID
    00:3A:98:A5:3E:20
    CiscoAVPair
    ssid=CAMPUS
    ssid
    campus 
    2- NO OK later:
    Authentication Details
    Source Timestamp
    2014-05-15 16:17:35.69
    Received Timestamp
    2014-05-15 16:17:35.69
    Policy Server
    radius
    Event
    5434 Endpoint conducted several failed authentications of the same scenario
    Failure Reason
    15039 Rejected per authorization profile
    Resolution
    Authorization Profile with ACCESS_REJECT attribute was selected as a result of the matching authorization rule. Check the appropriate Authorization policy rule-results.
    Root cause
    Selected Authorization Profile contains ACCESS_REJECT attribute 
    Only 3 Groups of the user are seen:
    Other Attributes
    ConfigVersionId
    5
    Device Port
    1645
    DestinationPort
    1812
    RadiusPacketType
    AccessRequest
    UserName
    host/xxxxxxxxxxxx
    Protocol
    Radius
    NAS-IP-Address
    172.25.2.80
    NAS-Port
    51517
    Framed-MTU
    1400
    State
    37CPMSessionID=b0140a6f0000C2E15374CC7F;32SessionID=radius/189518899/49890;
    cisco-nas-port
    51517
    IsEndpointInRejectMode
    false
    AcsSessionID
    radius/189518899/49890
    DetailedInfo
    Authentication succeed
    SelectedAuthenticationIdentityStores
    AD1
    ADDomain
    xxxxxxxxxxx
    AuthorizationPolicyMatchedRule
    Default
    CPMSessionID
    b0140a6f0000C2E15374CC7F
    EndPointMACAddress
    00-xxxxxxxxxxxx
    ISEPolicySetName
    Default
    AllowedProtocolMatchedRule
    MDP-PC-PEAP
    IdentitySelectionMatchedRule
    Default
    HostIdentityGroup
    Endpoint Identity Groups:Profiled:Workstation
    Model Name
    Cisco
    Location
    Location#All Locations#Site-MDP
    Device Type
    Device Type#All Device Types#Cisco-Bornes
    IdentityAccessRestricted
    false
    AD ExternalGroups
    xx/users/ordinateurs du domaine
    AD ExternalGroups
    xx/users/certsvc_dcom_access
    AD ExternalGroups
    xx/builtin/accès dcom service de certificats
    Called-Station-ID
    54:75:D0:DC:5B:7C
    CiscoAVPair
    ssid=CAMPUS 
    If you have an idea, thanks so much,
    Regards,

    To configure debug logs via the Cisco ISE user interface, complete the following steps
    :Step 1 Choose Administration > System > Logging > Debug Log Configuration. The Node List page appears, which contains a list of nodes and their personas.
    You can use the Filter button to search for a specific node, particularly if the node list is large.
    www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_logging.html#wp1059750

  • Restrice subroles as per Users/Groups

    Hello Experts,
    We have one role (say for e.g. Main Role) in portal which has 4 subroles under it. The 4 subroles are assigned as Delta link to the 'Main Role'.
    Now when I assign this 'Main Role' to user, the user has assess to all the 4 subroles. This is a problem.
    The requirement is to assign the Main Role to a user and that user only needs to see 2 subroles out of the 4.
    Is there any way through which we can restrict access to the sub roles as per the Users/Group?
    Thansks in Advavance,
    Sanjay Sarode

    Hi Sanjay,
    Did you try the same using Merge ID concept, that way you can restrict according to your need.
    To be more clear
    Role 1   Role2    Role3
    wks 1    wks2     wks3
    in WKS you have Mege ID Property give a test name and in other workset give the same name in that property.
    now you can assign each role individually or assign 2 or more than 2 at a time.
    when you assign more than 2
    Role1
    WKS1  WKS2
    Hope this helps.
    Cheers-
    Pramod

  • Server 2008 R2 RDP: limit max number of rdp connections per user group?

    Hello everyone,
    I have a Windows Server 2008 R2 with RDP installed.
    I want to create a couple of user groups which will have 5 different users in each. Then I would like to limit RDP connections, let's say 2 connections for the first group and 3 connections for the second group. For example, if 2 users from Group 1 are connected
    then when a 3rd user from Group 1 tries to connect it will be rejected to connect, but 3 users from Group 2 still can connect. Is it doable?
    Thanks in advance.

    Hi,
    I would like to check if you need further assistance.
    If you need help to create script, please post your questions in our related forums.
    http://social.technet.microsoft.com/Forums/scriptcenter/en-US/home
    Thanks.
    Jeremy Wu
    TechNet Community Support

  • Unique item permissions per user/group of ListItems

    Hello,
    i have following scenario:
    1.) Sharepoint group named "(Adminstrator) Company A" <-> Has Add/Edit rights on the list
    2.) Sharepoint group named "Company A" <-> Has only Add/read access to the list
    3.) .....many many other groups (50+) with same schema.
    Each pair of groups (Company A) should "only" see their own entries in the sharepoint list.
    My Logical approach and research on how to accomplish this ended up in writing a ItemEventHandler.
    The problem i ran into now is that whenever i try to use "currentListItem.BreakRoleInheritance(false);" i get a access denied
    message whenever the limited user group is trying to add a item to the list even when i use the SPSecurity.RunWithElevatedPrivileges(delegate().
    So i wonder what is wrong. Isn't RunWithElevatedPrivileges ignoring the currentUsers rights ?
    Any help would be highly appreciated.

    Thank you all for the replies.
    Meanwhile i was able to figure out myself what the problem was.
    Both of your replies actually didn't solve my problem. I kept getting ACCESS_DENIED exceptions.
    But the problem is that all of this happened inside of a
    public override void ItemAdded(SPItemEventProperties properties)
    of a SPItemEventReceiver class.
    The root of the problem was that i was still trying to modify the initial "properties" object.
    After i made a complete copy and re-retrieved the item from the list INSIDE of the elevatedPrivilege method i was finally able to make my desired modifications.
    So for everyone who runs into this problem too:
    Make sure you re-retrieve EVERYTHING(ListItem,DocumentItem etc) you want to modify with elevated privileges inside of the 
    SPSecurity.RunWithElevatedPrivileges(delegate()
    Thank you again,
    Ralf

  • VLAN assignement per user group with WDS

    I have configured an EAP-TLS wlan. I have configured the radius server to assign a vlan to the user depending of the user group.
    In this way I avoid that an user with a valid certificate that discover another SSID can change the VLAN changing his SSID (so I control what vlan connects every user)
    But when I have configured WDS in the wlan it stops to work. Because (I suppose) when the user reauthenticates (not the firt time) the WDS don't ask the radius server (it uses his cache) so it doesn't use the radius configuration and applies the vlan deppending of the user SSID.
    How can I resolve this problem?
    Thanks

    I think that the WDS configuration is not working as intended. Thats the reason the WDS is not caching the credentials and authenticating the user. Under Wireless Services > WDS status tab do you see the the infrastructure devices as Registered. if not check the authentication server for authentication stats. The first thing is that the WDS AP should register the infrasrtructure devices. Only then things will work.

  • User Group Policy Settings not applied to new user profiles at first logon

    Good Afternoon,
    We have an issue that occurs to a new user when they first log on to their machines. They log on and a new profile creates from the Default User Profile. We can see that a number of our Group Policy Settings applied as "User Configuration" are
    not applying.A log off and back on is required before the policies apply.
    Any thoughts to this behaviour please?
    Regards
    LeeB
    Lee Bowman MCITP MCTS

    Hi,
    How about your problem now? How many system encounter this problem? Is all policy couldn't be applied? Is there any feedback when using gpresult to check policy applied status?
    As Group Policy applies after user identity authentication, generally speaking, user logoff and back doesn't helpful with this problem.
    When this problem occures, have you checked event log if it identify this problem?
    Roger Lu
    TechNet Community Support

  • ISE Alarm at Failed Authentications per User

    Hi there!
    Is there a way to define an alarm for Failed authentications in a given time for a specific user in ISE 1.3?
    We have an alarm like this defined in ACS 5.3 but I can't find it in the ISE.
    Here is a picture of the definition in ACS:
    Can anyone help?

    Yes we can configure ISE alarms and send email notification as well

  • Report links by user group

    hi, is it possible to set the "report links" per user group
    for example, the report links are Download, Refresh for user group Sales.
    the report links are Download, Refresh and Modify for user group Sales Admin.
    Just wanna know whether this can be done.
    thanks!

    If "Sales" doesn't have the Answers privilege, then the "Modfiy" link won't be rendered even if specified for the request. So you can just keep it in and all users having access to Answers will see it. Read-only users (i.e. no Answers) won't.
    Cheers,
    C.

  • Change CAL to per user from per unit

    Hello!
    I bought per user CALS (has been verified) but I have been using per unit because the per user cal didn't update the license for the users. I don't understand why it works perfectly with per unit (group policy edited) but not per user? The system has been
    online for one and half year now so it wasnt until know I noticed the problem because to many computers had been assigned a license and even when I revoke one of them I wont be able to connect another computer until december 10 so thats a big problem. I did
    change to per user but it wont connect with the computer due to many licenses in use. Do I need to restart the server when I change to per user in group policy? And why is the cals working with per unit fine when I bought per user cal?
    Regards

    Hi,
     >>don't understand why it works perfectly with per unit (group policy edited) but not per user?
    Based on the description, I assume we are using group policy to manage Remote Desktop license mode. Here, please make sure that we have a sufficient number of RDS Per User CALs installed on the license server to provide an RDS Per
    User CAL for each user that needs to connect to the RD Session Host server.
    Besides, for this question is more related to RDS, in order to get professional help, it's recommended that we ask for suggestions in the following RDS forum.
    Remote Desktop Services
    https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverTS
    In addition, regarding issuing RDS CALs, the following article can be referred to for more information.
    Install and issue RDS CALs or TS CALs
    http://technet.microsoft.com/en-us/library/hh553159(v=ws.10).aspx
    Best regards,
    Frank Shen

Maybe you are looking for