Cisco Identity Services Engine (ISE) is the cornerstone of enterprise network access control. Meraki is the go-to platform for cloud-managed networking in branch offices and mid-market deployments. Getting the two working together gives you centralized authentication, guest management, device posturing, and dynamic policy enforcement — all across your wireless, wired, and VPN infrastructure.

This guide walks you through the full integration end to end: ISE device configuration, Meraki Dashboard setup for both wireless and wired, ISE policy sets, Central Web Authentication, Change of Authorization (CoA), and verification.

What You Can Achieve

Use CaseMeraki DeviceISE Feature
WPA2/3-Enterprise (Dot1X)MR WirelessRADIUS Auth + AuthZ
Guest Central Web Auth (CWA)MR WirelessCWA + Redirect + CoA
Wired 802.1X + MABMS SwitchesRADIUS Auth + CoA
Device posture assessmentMR + MSPosture + CoA
Device profilingMR 31.2+RADIUS Accounting / Device Sensor
VPN user authenticationMX Security ApplianceRADIUS Auth

Prerequisites

Before starting, confirm you have:

  • Cisco ISE 2.4+ (ISE 3.x recommended)
  • Meraki firmware: MR 24.0+ for wireless CoA, MS 8.10+ for wired CoA
  • Network reachability between Meraki devices and ISE:
    • UDP 1812 (RADIUS auth)
    • UDP 1813 (RADIUS accounting)
    • UDP 1700 (CoA from ISE to Meraki)
  • Admin access to both Meraki Dashboard and Cisco ISE

Step 1: Add Meraki as a Network Device in ISE

Every Meraki device that will send RADIUS requests to ISE must be registered as a Network Device.

Navigate to Administration > Network Resources > Network Devices and click Add.

ISE Network Devices list

Fill in the device details and scroll down to RADIUS Authentication Settings. Check the box and enter a Shared Secret — this must match exactly what you configure in the Meraki Dashboard later.

ISE Add Network Device with RADIUS settings

FieldValue
NameDescriptive name (e.g. Meraki-MR-Branch1)
IP AddressMeraki AP, switch, or MX IP
Shared SecretStrong password — must match Meraki config

Tip: For large deployments, configure a Default Network Device under Administration > Network Resources > Default Network Device with a shared secret. This lets all Meraki devices authenticate without pre-registering every single device.

Step 2: Configure Meraki Wireless (MR) — CWA Guest Flow

For guest networks, Meraki uses Central Web Authentication (CWA): the AP forwards the client’s MAC to ISE, ISE returns a redirect URL, and the client is sent to the ISE guest portal to authenticate.

How the Packet Flow Works

CWA Packet Flow - Client, MR, ISE

  1. Client associates to the SSID
  2. MR sends the client MAC as a RADIUS Access-Request to ISE
  3. ISE returns Access-Accept with a redirect URL
  4. Client gets an IP via DHCP
  5. Client sends an HTTP GET — MR intercepts it and redirects to the ISE portal
  6. Client authenticates on the ISE web portal
  7. ISE sends a CoA request (UDP 1700) to the MR
  8. MR sends CoA-ACK and reauthenticates the client
  9. ISE grants full access

Configure MAC-Based Authentication

In the Meraki Dashboard, go to Wireless > Configure > Access Control, select your guest SSID, and set Security to MAC-based access control (no encryption).

Meraki Dashboard MAC-based access control selected

Configure the RADIUS Server

Under the RADIUS section, add your ISE PSN as a RADIUS server. Enable RADIUS CoA support and set the group policy attribute to Airespace-ACL-Name.

Meraki Dashboard RADIUS server and CoA configuration

FieldValue
Host IP or FQDNISE PSN IP address
Auth port1812
Accounting port1813
SecretMust match ISE shared secret
RADIUS CoA support✅ Enabled
Group policy attributeAirespace-ACL-Name

Select ISE as the Splash Page

Under the Splash page section, select Cisco Identity Services Engine (ISE) Authentication. This tells the AP to honor the URL-redirect attribute returned by ISE.

Meraki Dashboard splash page ISE Authentication selected

Important: Do NOT use Hybrid Authentication with Increase Access Speed — this will break CWA.

Configure the Walled Garden

Add the ISE PSN IP to the Walled garden under Advanced Splash Settings. This allows the redirect to work before the client is authenticated.

Meraki Walled Garden configuration with ISE IP

Also add these entries to prevent Apple/Android captive portal detection from interfering:

17.0.0.0/8
captive.apple.com
*.apple.com
clients3.google.com
*.gstatic.com

Step 3: Configure Meraki Wireless (MR) — WPA2/3-Enterprise (Dot1X)

For corporate SSIDs where users authenticate with Active Directory credentials:

  1. Go to Wireless > Configure > Access Control, select your corporate SSID
  2. Under Association requirements, select WPA2/WPA3-Enterprise
  3. Add ISE as the RADIUS server (same IP, port 1812, matching secret)
  4. CoA is automatically enabled when ISE splash is configured

Step 4: Configure Meraki Wired (MS Switches)

For wired 802.1X and MAC Authentication Bypass (MAB) on Meraki switches:

  1. Go to Switch > Configure > Access policies
  2. Click Add access policy
  3. Set Policy type to 802.1X or MAC authentication bypass (or both)
  4. Add ISE PSN as the RADIUS server
  5. Enable RADIUS CoA support
  6. Assign the access policy to switch ports under Switch > Configure > Switch ports

Step 5: Configure ISE — Authorization Profile for CWA

Before building policy, create the CWA redirect authorization profile.

Navigate to Policy > Results > Authorization Profiles and click Add.

  • Name: CWA_Redirect
  • Under Common Tasks, enable Web Redirection
  • Type: Centralized Web Auth
  • ACL: NULL
  • Value: Self-Registered Guest Portal (or your custom portal)

ISE Authorization Profile - CWA Redirect configuration

Step 6: Configure ISE — Policy Sets

Policy Sets are where ISE decides which rules to apply to incoming RADIUS requests.

Navigate to Policy > Policy Sets and create a new set. Set the condition to match your Meraki SSID:

RADIUS:Called-Station-ID ENDS_WITH "Your-SSID-Name"

Authentication Policy

Inside the Policy Set, configure authentication rules:

ISE Authentication Policy for CWA

ConditionIdentity StoreIf User Not Found
Wireless_MABInternal EndpointsCONTINUE ← critical for CWA
Wireless_802.1XActive DirectoryReject

Setting “If user not found” to CONTINUE for MAB is essential — it allows unknown MAC addresses to proceed to the redirect phase instead of being rejected outright.

Authorization Policy — Two Rules Required

CWA requires two authorization rules in this exact order:

ISE Authorization Rules showing redirect then permit order

Rule 1 — Redirect (catches unknown clients, sends them to the portal)

FieldValue
ConditionCalled-Station-ID ENDS_WITH "Guest-SSID"
ResultCWA_Redirect profile

Rule 2 — Grant Access (hits after successful portal login)

FieldValue
ConditionEndpoint in GuestEndpoints identity group
ResultPermitAccess

Order matters: The redirect rule must come before the default permit/deny rule, or authenticated guests will keep getting redirected.

Step 7: Verify — RADIUS Live Logs

Once configured, go to Operations > RADIUS > Live Logs in ISE.

For every client that connects, you’ll see:

ColumnWhat to check
IdentityClient MAC or username
Authentication PolicyCorrect policy set matched?
Authorization PolicyCorrect rule applied?
Authorization ResultCWA_Redirect for new clients, PermitAccess after portal login
Failure ReasonRoot cause if something fails

A successful CWA flow shows two entries per client:

  1. First hit → CWA_Redirect (before portal login)
  2. Second hit (after CoA) → PermitAccess

Common Issues and Fixes

SymptomLikely CauseFix
No RADIUS requests in ISE Live LogsFirewall blocking UDP 1812Open 1812/1813 from Meraki to ISE PSN
5400 Authentication failedShared secret mismatchVerify secret matches in both ISE and Meraki Dashboard
CWA redirect not happeningISE splash not selected, or walled garden missing ISE IPSelect ISE Authentication in splash, add ISE IP to walled garden
Client redirected in a loopAuth and redirect rules in wrong orderEnsure PermitAccess rule is above the redirect rule
CoA not workingUDP 1700 blocked, or CoA not enabledOpen UDP 1700 from ISE to Meraki; enable RADIUS CoA in Dashboard
Fast roaming disabledExpected on CoA-enabled SSIDs802.11r/OKC/PMKsa are disabled when CoA is active (except MR 32.1+ with ISE 3.3+)
Profiling not working in ISEOld MR firmwareUpgrade to MR 31.2+ for Device Sensor support
Cannot locate AAA or Network DeviceDevice IP not in ISEAdd Meraki device IP to ISE Network Devices, or configure Default Network Device

Key Port Reference

PortProtocolDirectionPurpose
1812UDPMeraki → ISERADIUS Authentication
1813UDPMeraki → ISERADIUS Accounting
1700UDPISE → MerakiChange of Authorization (CoA)

What’s Next

Once the base integration is working, you can layer on:

  • Device Posture — ISE checks if endpoints are compliant before granting access
  • BYOD Onboarding — Self-service certificate enrollment for personal devices
  • Adaptive Policy (SGT) — Cisco TrustSec group tagging for micro-segmentation across Meraki and Catalyst infrastructure
  • pxGrid — Share context between ISE and other security tools (FMC, Stealthwatch, etc.)

The Meraki + ISE integration is one of the most powerful access control combinations available in the mid-market. Once the RADIUS plumbing is in place, everything else — posture, profiling, guest lifecycle, dynamic segmentation — builds on top of it.