-
Notifications
You must be signed in to change notification settings - Fork 2
/
ise_in_aws.mr_ssids.yaml
213 lines (205 loc) · 7.6 KB
/
ise_in_aws.mr_ssids.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
---
#------------------------------------------------------------------------------
# .corp : 802.1X with ISE from Secure Cisco Meraki Wireless with ISE
#------------------------------------------------------------------------------
- name: Configure SSID | {{ meraki_org_name }}:{{ meraki_lab_net_name }}:.corp
delegate_to: localhost
cisco.meraki.meraki_ssid:
state: present
org_name: "{{ meraki_org_name }}"
net_name: "{{ meraki_lab_net_name }}"
name: .corp
number: 0
enabled: yes
visible: yes
auth_mode: 8021x-radius # [open|psk|open-with-radius|8021x-meraki|8021x-radius]
encryption_mode: wpa # [wpa|eap|wpa-eap]
wpa_encryption_mode: WPA2 only # 🛑 ipsk-with-radius NOT SUPPORTED! [open|psk|open-with-radius|8021x-meraki|8021x-radius]
splash_page: None
radius_servers:
- host: 172.31.2.11
port: 1812
secret: "{{ radius_secret }}"
radius_accounting_servers:
- host: 172.31.2.11
port: 1813
secret: "{{ radius_secret }}"
available_on_all_aps: true
ip_assignment_mode: NAT mode
# 🛑 ▼▼▼ Unsupported with Ansible ▼▼▼
# radius_attribute_for_group_policies: Airespace-ACL-Name
# radius_server_attempts_limit: 3
# radius_server_timeout: 1
# radius_accounting_enabled: true
# radius_accounting_interim_interval: 600
# radius_authentication_nas_id: $NODE_MAC$:$VAP_NUM$
# radius_called_station_id: $NODE_MAC$:$VAP_NAME$
# radius_testing_enabled: true
# radius_failover_policy: Deny access # [Deny access|Allow access]
# radius_fallback_enabled: false
# radius_load_balancing_policy: null
# radius_proxy_enabled: false
# adult_content_filtering_enabled: false
# availability_tags: []
# available_on_all_aps: true
# band_selection: Dual band operation
# dns_rewrite:
# dns_custom_nameservers: []
# enabled: false
# dot11r:
# adaptive: false
# enabled: false
# dot11w:
# enabled: true
# required: false
# ip_assignment_mode: NAT mode
# mandatory_dhcp_enabled: false
# min_bitrate: 11
# per_client_bandwidth_limit_down: 0
# per_client_bandwidth_limit_up: 0
# per_ssid_bandwidth_limit_down: 0
# per_ssid_bandwidth_limit_up: 0
# speed_burst:
# enabled: false
# ssid_admin_accessible: false
#------------------------------------------------------------------------------
# .iot : MAB from Secure Cisco Meraki Wireless with ISE
#
# 🛑 cisco.meraki.meraki_ssid module does not recognize ipsk-with-radius 🛑
# 🛑 'value of auth_mode must be one of: open, psk, open-with-radius, 8021x-meraki, 8021x-radius, got: ipsk-with-radius'
#------------------------------------------------------------------------------
- name: Configure SSID | {{ meraki_org_name }}:{{ meraki_lab_net_name }}:.iot
delegate_to: localhost
cisco.meraki.meraki_ssid:
state: present
org_name: "{{ meraki_org_name }}"
net_name: "{{ meraki_lab_net_name }}"
name: .iot
number: 1
enabled: yes
visible: yes
auth_mode: 8021x-radius # [open|psk|open-with-radius|8021x-meraki|8021x-radius]
encryption_mode: wpa # [wpa|eap|wpa-eap]
wpa_encryption_mode: WPA2 only # 🛑 ipsk-with-radius NOT SUPPORTED! [open|psk|open-with-radius|8021x-meraki|8021x-radius]
splash_page: None
radius_servers:
- host: 172.31.2.11
port: 1812
secret: "{{ radius_secret }}"
radius_accounting_servers:
- host: 172.31.2.11
port: 1813
secret: "{{ radius_secret }}"
available_on_all_aps: true
ip_assignment_mode: NAT mode
# 🛑 ▼▼▼ Unsupported with Ansible ▼▼▼
# radius_attribute_for_group_policies: Airespace-ACL-Name
# radius_authentication_nas_id: $NODE_MAC$:$VAP_NUM$
# radius_called_station_id: $NODE_MAC$:$VAP_NAME$
# radius_coa_enabled: true
# radius_testing_enabled: true
# radius_accounting_enabled: true
# radius_accounting_interim_interval: 600
# dot11w:
# enabled: true
# required: false
# # 🛑 ▼▼▼ Unsupported with Ansible ▼▼▼
# radius_failover_policy: null
# radius_fallback_enabled: false
# radius_load_balancing_policy: null
# radius_proxy_enabled: false
# radius_server_attempts_limit: 3
# radius_server_timeout: 1
# admin_splash_url: null
# adult_content_filtering_enabled: false
# availability_tags: []
# band_selection: Dual band operation
# dns_rewrite:
# dns_custom_nameservers: []
# enabled: false
# dot11r:
# adaptive: false
# enabled: false
# mandatory_dhcp_enabled: true
# min_bitrate: 11
# per_client_bandwidth_limit_down: 0
# per_client_bandwidth_limit_up: 0
# per_ssid_bandwidth_limit_down: 0
# per_ssid_bandwidth_limit_up: 0
# speed_burst:
# enabled: false
# splash_page: Cisco ISE
# splash_timeout: 1440 minutes
# ssid_admin_accessible: false
# walled_garden_enabled: false
- name: Manually change the SSID | {{ meraki_org_name }}:{{ meraki_lab_net_name }}:.iot
ansible.builtin.pause:
prompt: |
You must now manually change the SSID to 'Identity PSK with RADIUS'
because the Meraki Ansible module does not support
wpa_encryption_mode: ipsk-with-radius
1. Open the Meraki Dashboard
2. Go to Wireless > Configure > SSID
3. Select .iot
4. Select Security : Identity PSK with RADIUS
5. Save
Press Enter to Continue...
#------------------------------------------------------------------------------
# .guest : MAB WebAuth with ISE from Secure Cisco Meraki Wireless with ISE
#------------------------------------------------------------------------------
- name: Configure SSID | {{ meraki_org_name }}:{{ meraki_lab_net_name }}:.guest
delegate_to: localhost
cisco.meraki.meraki_mr_ssid:
state: present
org_name: "{{ meraki_org_name }}"
net_name: "{{ meraki_lab_net_name }}"
name: .guest
number: 2
enabled: no
visible: true
available_on_all_aps: true
auth_mode: open-with-radius # [open|psk|open-with-radius|8021x-meraki|8021x-radius]
radius_servers:
- host: 172.31.2.11
port: 1812
secret: "{{ radius_secret }}"
radius_accounting_servers:
- host: 172.31.2.11
port: 1813
secret: "{{ radius_secret }}"
radius_coa_enabled: true
radius_accounting_enabled: true
ip_assignment_mode: NAT mode
splash_page: Cisco ISE
# splash_timeout: 1440 minutes # 🛑 Unsupported
walled_garden_enabled: true
walled_garden_ranges:
- 172.31.2.11/32
# # 🛑 ▼▼▼ Unsupported with Ansible ▼▼▼
# radius_attribute_for_group_policies: Airespace-ACL-Name # 🛑 Unsupported
# radius_authentication_nas_id: $NODE_MAC$:$VAP_NUM$ # 🛑 Unsupported
# radius_called_station_id: $NODE_MAC$:$VAP_NAME$ # 🛑 Unsupported
# radius_failover_policy: null
# radius_fallback_enabled: false
# radius_load_balancing_policy: null
# radius_proxy_enabled: false
# radius_server_attempts_limit: 3
# radius_server_timeout: 1
# radius_testing_enabled: true
# radius_accounting_interim_interval: 600
# admin_splash_url: ''
# adult_content_filtering_enabled: false
# availability_tags: []
# band_selection: Dual band operation
# dns_rewrite:
# dns_custom_nameservers: []
# enabled: false
# mandatory_dhcp_enabled: false
# min_bitrate: 11
# per_client_bandwidth_limit_down: 0
# per_client_bandwidth_limit_up: 0
# per_ssid_bandwidth_limit_down: 0
# per_ssid_bandwidth_limit_up: 0
# speed_burst:
# enabled: false
# ssid_admin_accessible: false