Security is a top priority for people in IT. Everyone knows how important security is to an organization, its devices, and most significantly, its people.
While putting a firewall in your network is the first line of defense, another primary foundation to network security is the enforcement of access security policies. Permitting or denying access to specific resources establishes security in your network. For example, guests should not be able to access business servers. Organizations can have long lists of access policies, dictating who can access what. But how many organizations have a clear and concise policy list they easily understand, manage, and configure?
Access control lists are daunting in most environments. This is due to how access policies are built. Access policies are based on an IP architecture, where sources and destinations are defined by your network topology. While this works, IP-based access policies do not easily scale with large scale environments, businesses with distributed sites, and frequently changing organizations.
Most are familiar with policy lists that look something like this:
Would you be able to tell what these IP addresses represent? Is XXX.XXX.XXX.XXX your cloud server? Or the HR team?
The point is, it’s difficult to tell. It also becomes more troublesome as your business needs change, such as a growing business dealing with company acquisitions, a university expanding their campus with new sites, or a firm that’s redesigning their entire organizational structure. In every one of these cases, access policies must be re-configured to mirror the way the network topology changes.
What if access policies no longer needed to be dependent on network topology; no longer IP-based, and instead, based on the intent of the user, device, or service?
Today’s the day – we’re introducing Adaptive Policy.
*(Beta available H1CY2020)
Adaptive Policy is a new solution where revolutionary Cisco Security Group Tag (SGT) technology meets the most powerful Cisco Meraki switch hardware yet. This software feature addresses the shortcomings of traditional policy administration using Cisco SGT and the MS390. With Cisco SGT, numerical tags are used to profile users, devices, services, and time of access. Tags can be assigned using a RADIUS server like Cisco Identity Services Engine (ISE). When Cisco ISE is used, the tag is transmitted to all devices in the network — every packet is tagged and decisions based on the tag are made by the MS390.
How does Adaptive Policy actually work?
IT team creates an access policy whereby the sales team cannot access a product roadmap application.
When a salesperson connects their laptop to the network, Cisco ISE will authenticate the user using Active Directory, then assign a tag, let’s pretend, tag 4 for the salesperson. The MS390 will receive tag 4 sent from ISE and will then add the tag 4 to every packet coming the salesperson’s device. If the salesperson tries to connect to the product roadmap server, which only allows tag 5, the MS390 will deny the request. But let’s say the salesperson moves to the product team, the user profile changes based on Active Directory, and now this user can access the roadmap application without having to re-configure all the switches in the network.
This policy enforcement process has become scalable, effective, and automatic. Adaptive Policy utilizes Cisco SGT to determine traffic intent and can help scale and reinforce security for customers of any deployment size.
With Adaptive Policy, security is agnostic to network topology, making security orchestration and mass configuration changes consistent. Furthermore, instead of using IP addresses, we can now use natural language to determine how a policy is adjusted and implemented. Instead of seeing XXX.XXX.XXX.XXX, you’ll find yourself reading “Marketing team”.
Adaptive Policy is built with flexibility.
Adaptive Policy is a new feature built with a Meraki API-first strategy that will guarantee full consumption. Together with Cisco, we are able to provide interoperability with an open implementation of tagging, which means it won’t be tied to only one vendor. Thanks to Cisco SGT’s open and extensible technology, Adaptive Policy provides maximum potential across Cisco and 3rd party vendors, giving you flexibility for your networking needs.
MR customers can take advantage of Adaptive Policy too!
Customers who have Meraki MR access points (ac Wave 2 and above) but do not have the MS390 can still deploy Adaptive Policy. Under a hybrid environment, current Cisco Catalyst switch (3K to 9K series) customers with Meraki MR can implement Adaptive Policy utilizing inline-SGTs.
How can I enable Adaptive Policy?
Adaptive Policy is available as an advanced feature on the MS390. You will need the MS390 switch along with the MS390 Advanced licensing to enable this new feature.
To learn more about Adaptive Policy and the MS390 switch, watch the launch webinar or read the MS390 blog. Starting early 2020, you can also give Adaptive Policy a whirl by starting a free trial.
When you get a call from a wireless user complaining about connectivity problems, what is one of the first questions you might ask? “Where are you exactly?” Knowing precisely where a user is located can be immensely helpful in diagnosing and troubleshooting issues. What AP are they associated to? Are they behind a pillar that could be blocking their wireless signal? Are they in an area of a new building where the network is currently being expanded and might still have some coverage weak spots? This knowledge can often provide an administrator with a good idea of where they should dig in to properly troubleshoot the issue.
Starting today, administrators of Meraki Enterprise networks won’t have to ask where a client is because they’ll know: introducing Meraki Location-Based Services. On each client details page you’ll notice a new map where the current location of the client is clearly indicated on either a Google map or building floorplan (see below screen shot).
In addition to troubleshooting client issues, there are many other situations where being able to pin down a client device’s location can be very useful to administrators, such as tracking down a lost laptop or monitoring a nurse’s progress doing rounds in a hospital with the medicine cart. Typically these capabilities might require additional appliances and third-party software costing $10,000’s, but with Meraki they are provided with all Enterprise networks at no additional cost and without the need to deploy additional gear.
When combined with other Dashboard features like “remote hands” tools and detailed reporting with Traffic Shaper’s application-level visibility, Location-Based Services provides administrators with powerful tools to understand exactly how their network is being used and to quickly troubleshoot client issues remotely. Please let us know what you think of this new feature using the Make a Wish box!
TEDGlobal 2010, themed “And Now the Good News”, wrapped up with some good news for Meraki and TEDGlobal attendees using the conference WiFi. As part of the British Telecom Sponsorship team, fellow Meraki engineer Robert Shanks and I were on site to deploy and support the wireless network for this 4-day conference. To make a long story short, the wireless network performed flawlessly, with just over a 1,000 people connecting throughout the conference and transferring over 250 gigabytes of data.
The conference venue, located in Oxford, UK, had its fiber backhaul brought in by BT. The backhaul was then distributed to wireless users in the two main venues of the conference, the Oxford Playhouse and the gala rooms of the Randolph Hotel, through fifteen MR14 dual-radio access points.
We leaned heavily on the Cloud Controller to quickly deploy the network with a small team. Rogue AP detection and automatic channel spreading maintained performance while TEDsters blogged, tweeted, browsed and streamed all at once. While we trusted the Cloud Controller’s real-time alerts to let us know about unexpected changes (there weren’t any), we also kept tabs on the network’s summary report, giving us a good understanding of the overall usage and performance of the network.
Along with performance and usage information, the summary reports confirmed that the device-of-choice for TEDsters was the iPad, with well over 100 using the network. In fact, hand-held devices accounted for over 50% of clients connecting to the network.
We had a great time at TED, and were happy to see the Meraki network being used so heavily. Thanks to the team at British Telecom for including us!
It doesn’t matter how large or small the conference is, it seems like they always have WiFi problems. The networks are consistently slow, frequently fail, and usually require some arcane security measure that involve weirdly-small scraps of paper and bizarre usernames.
There’s no reason for WiFi to be this frustrating!
We’ve started a new project to loan our enterprise-grade WiFi gear to smaller tech conferences, meetups, BarCamps, WordCamps, Tweetups, whathaveyou … for free. You provide the Internet connection, and we’ll provide a rock-solid WiFi connection. All we ask in return is that if you like our products, tell your friends, and if not, let us know how we can make them better.
We’ve just gotten started with this project, but so far, meetups like SF Beta, WordCamp Boulder, and Hacks/Hackers NYC have had great experiences.
“One of the best decisions we made for our conference. Not only was the delivery and setup effortless, our network remained stable throughout the entire day. No matter your wireless needs, this experience alone tells me Meraki’s solutions are some of the best.” —WordCamp Boulder
As part of this project, we’re excited to be partnering with WordCamp.org. We’ll offer a streamlined signup process for the many BarCamp-style events that these organizations sponsor throughout the year.
If you run an event and would like to participate in our new Free Event WiFi project, we’d love it if you signed up! We’re looking for small to medium-sized events that have enough bandwidth to support that group.
If you’re interested, head on over to the signup page to learn more or take a look at our plug-and-play setup guide, or ask any questions below!
One of the most challenging aspects of managing large distributed networks is troubleshooting issues when the client is across town (or maybe even across the country!). Having on-site IT personnel 24/7 at even small satellite branch offices can require a very large IT staff and is too expensive for most organizations. Meraki networks offer a variety of “remote hands” troubleshooting tools, helping network admins diagnose and resolve many wireless connectivity issues without dispatching IT staff to the site. The ability to run diagnostic checks such as pinging an access point, running a throughput test from Dashboard, or reviewing detailed event logs have been integral to Meraki’s value for distributed networks and organizations with small IT staffs and large footprints.
We are now announcing a set of Live Client Tools that expose even more up-to-the-second information about who is on a wireless network, and further help troubleshoot connectivity issues. Administrators who log into their Enterprise network in Dashboard will notice several new and improved areas. On the Monitor > Overview page, there is now a new addition under the network name showing the number of clients that are associated at that moment:
If you click on the “More” link, you will see an expanded list with more information, including which SSIDs and channels the clients are using. This data is automatically refreshed as long as the “More” link is expanded.
Even cooler, Enterprise customers can change the access points map to show where clients are associated: click the “Options” menu on the map and select “Current clients.”
But the really interesting stuff is on the Access Point and Client detail pages. The Access Point detail page used to look like this:
Now, all of the live tools have been consolidated into a new, cleaner layout. Both Pro and Enterprise networks will benefit from the new layout. Enterprise networks now have two additional features in this area: Current Clients and Ping Client MAC. Clicking on the play icon next to Current Clients will pop up a list of all clients associated to that AP at that instant, including useful information about each client such as MAC, SSID, channel, signal strength, and how long they have been associated. Click on the name of a client to go to its client details page. You’ll even see clients that have associated, but not authenticated (they’re listed in grey). If you click the Ping link next to the client, you can actually ping that client in real time using ARP, as well as get additional information, such as RSSI changes over time and 802.1X identity (if appropriate).
The other new addition, Ping Client MAC, allows you to enter a MAC address and try to ping it. This can be very useful if you are trying to determine if a particular device is on your network at that moment.
There is also a new Live Tools section on the client detail page. From this page you can also ping that individual client, but there are a few additional new tools:
The Locate Client tool allows you to find out whether that client is associated on your network at that moment, and if so, where they’re associated and for how long:
Finally, the Packet Counter tool shows a real-time count of received and sent packets to that client. You can actually see the packet counters roll as you ping the client!
We think these new tools further improve Meraki’s uniquely clear approach to distributed, multi-site network management, a normally challenging task. Network administrators can more quickly resolve their wireless users’ connectivity issues and access accurate real-time data about the exact state of their network.