Please read

Chris Weber, Product Manager – Meraki MX Security

Linkedin: christopherwweber/

Powered by the Meraki Full Stack

Harnessing Identity-Based

Firewalling on the Meraki MX

BRKMER-2515

An analogy for Full Stack Identity-Based Security

Company X

Company Y

Company Z

Restricted

Space

Restricted

Space

Main

Entrance

BRKMER-2515

3

Agenda

• What are Group Policies?

• Full Stack Identity with 802.1x

• Full Stack Identity with Adaptive Policy

• Sentry Policies with Systems Manager

• Passive Identity with Active Directory

• Zero Trust with Secure Connect

BRKMER-2515

4

Cisco’s Meraki platform for the

secure cloud managed branch

Wireless

Switching

Firewall and

SD-WAN

Mobile Device

Management

IoT Sensors

Smart

Cameras

Cellular

Gateways

3x

larger than

competitors

Built-in solutions

MERAKI DASHBOARD

ACCESS & ENDPOINT

SECURITY AND IOT

API

Tailored solutions

CUSTOM BUILT

developer.cisco.com/meraki

TECH PARTNERS

meraki.com/marketplace

5

Born in the cloud, growing daily, and

trusted everywhere

15 years of helping customers and partners deliver

exceptional secure network experiences

700K+

Customers

99.99%

Cloud SLA

External API

monthly calls

Firewalls Deployed

Flows secured

per week

5+

MILLION

Customer

networks

15+

MILLION

Meraki devices

online

190+

Countries

in network

8+

BILLION

2+

MILLION

8+

TRILLION

Threats Blocked

per Month

Secure Client Users

Per Day

SD-WAN Customers

25+

BILLION

400+

THOUSAND

40+

THOUSAND

Full Stack

Identity-Based

Security

What are Group

Policies?

Foundation For Full-Stack identity-based

Security Policies

BRKMER-2515

8

Open Question

“Groups”

Forms of network segmentation + groups of

users

(e.g. VLANs, subnets, SSIDs, SM tags, AD,

SGT)

“Policies”

Rules that will actively or passively affect

network traffic or end client functionality

(e.g. firewall, content filtering, AMP, SSL

Decrypt, QoS, MDM)

Group Policies

Foundation to identity-based Security Policy Enforcement Across Meraki

● Distributed L3 Firewall (MX/MS/MR)

● Distributed L7 Firewall (MX/MR)

● Umbrella DNS Security (MX/MR)

● Threat Protection Policies (MX):

○ AMP

○ Talos Content Filtering (content & threat

categories)

○ URL Filtering

○ YouTube Filtering

○ Web Search Filtering

○ HTTPS Decryption

● VLAN Assignment (MR)

● QoS/Traffic Shaping (MX/MR)

Security Policies

Network Policies

BRKMER-2515

9

Best Practices for using Group Policies

10

BRKMER-2515

Foundation to identity-based Security Policy Enforcement Across Meraki

User and Device Policies Zones-Based Policies

Per-VLAN Policies

Applying Firewall & Security Policies Based on Identity

11

BRKMER-2515

Leverage active and passive auth across the full stack to apply MX security policies based on user or role

Active Directory

Policies

SM (MDM) Sentry

Policies

AnyConnect or

Secure Client VPN

with 802.1x

Static Policy

Assignment

802.1x (MR/MS) with

policy map sync

ZTNA Policies with

Secure Connect

Adaptive Policy (SGT)

MX 802.1x (Port and

wifi) GP Assignment

Static Group Policy Device Assignment

12

BRKMER-2515

Useful when devices don’t have a user behind them or can’t do 802.1x (ex. IoT devices)

Identity-based

Security with

Full-Stack NAC

(802.1x)

An analogy for Full Stack Identity-Based Security

Meraki MS

Meraki MX

Meraki MR

Meraki MX

BRKMER-2515

14

How it Works

MX Firewall & Secure Client

(formerly AnyConnect)

RADIUS with Group Policy

Assignment

16

BRKMER-2515

How it Works

Wireless SSID RADIUS

with Group Policy

Assignment

How it Works

Switchport RADIUS with

Group Policy Assignment

Identity-Based Security Policy with Meraki MX

18

BRKMER-2515

Active/Passive Identity with Meraki Full Stack and Group Policies

1.Client authenticates to network on

SSID configured for RADIUS

Device

User Policy

Group Policies

Sales

Engineering

QuarantineSupport

Cloud Session Table

2. Access Point sends

authentication request to

radius server such as ISE

User: Susan

19

BRKMER-2515

Device

User Policy

Cloud Session Table

Group Policies

Sales

Engineering

QuarantineSupport

Identity-Based Security Policy with Meraki MX

Active/Passive Identity with Meraki Full Stack and Group Policies

3. ISE validates request and

responds with a group policy

assignment based on users role

Filter-ID: Sales

20

BRKMER-2515

Device

User Policy

Cloud Session Table

Group Policies

Sales

Engineering

QuarantineSupport

Identity-Based Security Policy with Meraki MX

Active/Passive Identity with Meraki Full Stack and Group Policies

4. Device, user and authentication

information shared with Meraki

cloud and added to cloud session

table

21

BRKMER-2515

Device

User Policy

AA:BB:CC Susan Sales

Cloud Session Table

Group Policies

Sales

Engineering

QuarantineSupport

Identity-Based Security Policy with Meraki MX

Active/Passive Identity with Meraki Full Stack and Group Policies

5. Session info and group policy

mapping shared to the rest of

the Meraki full stack (MR, MS,

MX)

22

BRKMER-2515

Device

User Policy

AA:BB:CC Susan Sales

Cloud Session Table

Group Policies

Sales

Engineering

QuarantineSupport

Identity-Based Security Policy with Meraki MX

Active/Passive Identity with Meraki Full Stack and Group Policies

6. MX enforces group policy including

firewall rules, URL filtering rules,

malware protection, SSL decrypt and

any QoS specific to the role

23

BRKMER-2515

Device

User Policy

AA:BB:CC Susan Sales

Cloud Session Table

Group Policies

Sales

Engineering

QuarantineSupport

Identity-Based Security Policy with Meraki MX

Active/Passive Identity with Meraki Full Stack and Group Policies

Demo

25

Identity-Based

Security with

Adaptive Policy (SGT)

Adaptive Policy

Micro-Segmentation and Context with Security Group Tags

Context shared over the data-plane

providing identical policy for wired and

wireless access

Utilizing inline Security Group Tags

(SGTs)

Organization-Wide intent-based

policy

BRKMER-2515

27

Flexible Group Assignment

28

BRKMER-2515

Hosted Servers

10.10.10.0/24

Static port

assignment

(MX/MS/MR)

Fixed wired devices without

a supplicant

Static SSID

assignment

(*MX/MS/MR)

Single-use SSIDs like guest

Dynamic via

RADIUS

(*MX/MS/MR)

Wired and Wireless

MAB/802.1X & iPSK

w/RADIUS

IP Prefix to SGT

Map

(*MX/MS/MR)

Last resort traffic match

based on IP/Subnet

*MX Coming

Identity-Based

Security with Systems

Manager Sentry

Group Policies

SM Sentry Group Policies with MX Firewall

30

BRKMER-2515

Allow/Deny access to

network via Firewall rules

Posture Assessment:

Platform type?

User Identity?

OS version?

Restrict/Limit network

access via Firewall rules

New Combined Group and Sentry Policies View

31

BRKMER-2515

Network-Wide > Group Policies

Network-Wide > Sentry Policies

Network-Wide > Group Policies

The Standalone Network-Wide > Sentry Policies page was

deprecated on February 1, 2024

SM Sentry Group Policies with MX Firewall

32

BRKMER-2515

Identity-Based Security Policy with Meraki MX

33

BRKMER-2515

Posture-based security with Meraki Systems Manager and Sentry Policies

1. Create group policies

specific to each user

role/group or for

quarantine state

Device

User Policy

Cloud Session Table

Group Policies

Sales

Engineering

QuarantineSupport

Sales

Device: MAC

Posture: Compliant

2. Use sentry policies to

map group policies to

user, role, device or

posture context

34

BRKMER-2515

Identity-Based Security Policy with Meraki MX

Posture-based security with Meraki Systems Manager and Sentry Policies

Device

User Policy

Cloud Session Table

Group Policies

Sales

Engineering

QuarantineSupport

Sentry Policies

3. Endpoint enrolled in

Meraki MDM. SM client

installed

35

BRKMER-2515

Identity-Based Security Policy with Meraki MX

Posture-based security with Meraki Systems Manager and Sentry Policies

Device

User Policy

Cloud Session Table

Sales

Device: MAC

Posture: Compliant

Group Policies

Sales

Engineering

QuarantineSupport

Sentry Policies

Device: Susan’s-Laptop

Device Type: MAC

Security Posture: Compliant

Role: Sales

4. Enrolled device assigned an

owner in Meraki dashboard

(from Azure AD, OIDC, Meraki

auth, etc)

36

BRKMER-2515

Identity-Based Security Policy with Meraki MX

Posture-based security with Meraki Systems Manager and Sentry Policies

Device

User Policy

Cloud Session Table

Sales

Device: MAC

Posture: Compliant

Group Policies

Sales

Engineering

QuarantineSupport

Sentry Policies

5. Endpoint connects to network

37

BRKMER-2515

Identity-Based Security Policy with Meraki MX

Posture-based security with Meraki Systems Manager and Sentry Policies

Device

User Policy

Cloud Session Table

Sales

Device: MAC

Posture: Compliant

Group Policies

Sales

Engineering

QuarantineSupport

Sentry Policies

6. SM shares IP/MAC and

device posture information

with Meraki cloud (even if

wireless or switch network is

non-Meraki)

38

BRKMER-2515

Identity-Based Security Policy with Meraki MX

Posture-based security with Meraki Systems Manager and Sentry Policies

Device

Posture Policy

AA:BB:CC Compliant

Cloud Session Table

Sales

Device: MAC

Posture: Compliant

Group Policies

Sales

Engineering

QuarantineSupport

Sentry Policies

7. Group policy automatically

applied to device based on

owner, endpoint and posture

context

39

BRKMER-2515

Identity-Based Security Policy with Meraki MX

Posture-based security with Meraki Systems Manager and Sentry Policies

Device

Posture Policy

AA:BB:CC Compliant Sales

Cloud Session Table

Sales

Device: MAC

Posture: Compliant

Group Policies

Sales

Engineering

QuarantineSupport

Sentry Policies

8. Session info and group

policy mapping shared to the

rest of the Meraki full stack

(MX and MS/MR, if present)

40

BRKMER-2515

Identity-Based Security Policy with Meraki MX

Posture-based security with Meraki Systems Manager and Sentry Policies

Device

Posture Policy

AA:BB:CC Compliant Sales

Cloud Session Table

Sales

Device: MAC

Posture: Compliant

Group Policies

Sales

Engineering

QuarantineSupport

Sentry Policies

9. MX enforces group

policy for endpoint

41

BRKMER-2515

Identity-Based Security Policy with Meraki MX

Posture-based security with Meraki Systems Manager and Sentry Policies

Device

Posture Policy

AA:BB:CC Compliant Sales

Cloud Session Table

Sales

Device: MAC

Posture: Compliant

Group Policies

Sales

Engineering

QuarantineSupport

Sentry Policies

Identity-based

Security with

Active Directory

Integration

Open Question

Mapping Active Directory Groups to Meraki Group Policies

43

BRKMER-2515

Automatically apply group policies based on user’s AD group membership

MX Active Directory Traffic Flow

44

BRKMER-2515

User logs in

Creates Audit Success

Event & Auths User

WMI query every

5 seconds

Responds with

Audit Success

Events

LDAP query username

from WMI response

Responds with all

OUs of user

Checks OUs against

group policy mappings

Enforces group

policy on device

1

2

3

4

5

Zero Trust Remote

Access with Secure

Connect

Open Question

Secure Internet Access

Public/Private

Cloud

Private Applications

ZTNA Proxy

SWG CASB & DLP

Secure Connect

Interconnect

DNS Layer Security

NAT

Cloud

Firewall

Internet/SaaS

Unmanaged

Endpoint

Managed

Endpoint

Web Internet traffic

Non-web Internet traffic

Private Application traffic

On Prem Users,

Device &Things

DC/Colo/Branch

Mixed Private Internet

MX

(v)MX

For Remote Users with Secure Client (formerly AnyConnect)

BRKMER-2515

46

Secure Internet Access

47

BRKMER-2515

For Remote Users with Secure Client (formerly AnyConnect)

Secure Private Access

Public/Private

Cloud

Private Applications

ZTNA Proxy

SWG CASB & DLP

Secure Connect

Interconnect

DNS Layer Security

NAT

CDFW

Internet/SaaS

Unmanaged

Endpoint

Managed

Endpoint

Web Internet traffic

Non-web Internet traffic

Private Application traffic

On Prem Users,

Device &Things

DC/Colo/Branch

Mixed Private Internet

MX

(v)MX

For Remote Users with no client installed (browser-based remote access)

BRKMER-2515

48

Secure Private Access

49

BRKMER-2515

For Remote Users with no client installed (browser-based remote access)

Cisco Meraki

Learning Map

Expand your horizons and see what Cisco’s

cloud management platform can do for your

business. The Meraki Learning map

includes content that spans many topics

ranging from programmability to

cybersecurity.

Remember, there are also Lab and DevNet

Sessions, Capture the Flag activities, and

Meraki demos throughout the World of

Solutions show floor.

BRKMER-2515

50

Engage with us:

Become a Cisco Meraki Insider

Join

the community

Complete

challenges

Receive

rewards

Thank youThank you