Introduction xix Chapter 1 Meraki''s History 1 Roofnet 1 Start-up 3 Acquisition by Cisco 4 The Meraki Museum 7 Summary 7 Notes 8 Further Reading 8 Chapter 2 Security Frameworks and Industry Best Practices 11 The Cybersecurity Imperative 11 Adopting Industry Best Practice 13 Industry Standards 13 Security as a Team Sport 15 Key Themes Across Security Standards 15 Continuous Improvement 16 Comparison of Common Security Standards and Framework Requirements 16 Summary 17 Further Reading 17 Chapter 3 Meraki Dashboard and Trust 19 Meraki Dashboard 19 Out-of-Band Management 20 Meraki Dashboard Hierarchy 20 Trust 22 Privacy 23 Data Retention Policy 24 Data Security 24 Data Center Resiliency 26 Compliance with Information Standards, Regulations, and Industry Best Practices 26 Hardware Trust Model 28 Supply Chain Security 28 Secure Boot 29 Secure Device Onboarding 29 Software Trust Model 30 Cloud Shared Responsibility Model 32 Summary 32 Notes 33 Further Reading 33 Chapter 4 Role-Based Access Control (RBAC) 37 Meraki Dashboard''s Administration Hierarchy 38 Administrator Access Levels for Dashboard Organizations and Networks 38 Assigning Permissions Using Network Tags 40 Port-Level Permissions 42 Role-Based Access Control for Camera-Only Administrators 49 Role-Based Access Control for Sensor-Only Administrators 52 Role-Based Access Control Using Systems Manager Limited Access Roles 53 Summary 60 Further Reading 60 Chapter 5 Securing Administrator Access to Meraki Dashboard 61 Securing Administrative Access to Meraki Dashboard 61 Meraki Dashboard Local Administrator Access Controls 62 Creating Meraki Dashboard Local Administrator Accounts 62 Password Age 68 Password Reuse 70 Password Complexity 72 Account Lockout After Invalid Login Attempts 74 Idle Timeout 77 IP Whitelisting 79 Multifactor Authentication (MFA) 81 Configuring SAML Single Sign-On (SSO) for Dashboard 98 The Use Cases for Single Sign-On 98 SAML Single Sign-On Login Flow 99 SAML Single Sign-On Design 99 Configuring Meraki SAML SSO Using Cisco Duo and Microsoft Entra ID 102 Prerequisites 103 Adding SP-Initiated SAML SSO 146 Verifying SAML SSO Access to Meraki Dashboard with Cisco Duo and Microsoft Entra (Including Duo Inline Enrollment) 148 Implementing Additional Access Controls Using Cisco Duo and Microsoft Entra ID 159 Password Policies 159 Password Age 160 Password Reuse 160 Password Complexity 160 Account Lockout After Invalid Login Attempts 160 Security Policies 161 IP Whitelisting 161 Restricting Concurrent Logins 162 Automatically Disabling Inactive Accounts 162 Automatically Disabling Accounts After a Predetermined Period of Time Unless Revalidated 163 Automatically Disabling Temporary Accounts 165 Summary 165 Further Reading 166 Chapter 6 Security Operations 169 Centralized Logging Capabilities 170 Login Attempts 172 Change Log 172 Event Log 174 Creating API Keys 175 Finding Your Organization ID 180 Exporting Logs 180 Exporting Logs to Splunk 181 Syslog 190 Exporting Flow Data 192 NetFlow, IPFIX, and Encrypted Traffic Analytics 193 Syslog Flows 196 Compliance Reporting with AlgoSec 197 Prerequisites 197 Integrating AlgoSec with Meraki Dashboard for Compliance Reporting 197 Monitoring and Incident Response 208 Security Center 209 Alerts 210 External Alerting 213 Webhooks 213 SNMP Traps 224 External Polling 227 Meraki Dashboard API 228 SNMP 234 Automated Incident Response with ServiceNow 240 Security Management 246 Inventory 247 Hardware 247 Software 248 Configuration 249 Client Devices 251 Topology 252 Summary 253 Notes 253 Further Reading 254 Chapter 7 User Authentication 257 Configuring Meraki Cloud Authentication 260 Configuring SAML with Cisco Duo and Microsoft Entra 264 Confirming Functionality of SAML Configuration Using AnyConnect VPN 273 Configuring RADIUS Using Cisco ISE, Cisco Duo, and Microsoft Active Directory 276 Prerequisites 277 Configuring Users and Groups in Microsoft Active Directory 280 Configuring Group(s) in Active Directory 280 Configuring User(s) in Active Directory 281 Configuring Cisco Identity Services Engine (ISE) 285 Adding Network Access Devices (NADs) to Cisco ISE 285 RADIUS Configuration for Wired and Wireless 802.1X 295 Configuring Organization-Wide RADIUS in Meraki Dashboard 295 Creating a Policy Set for Wired and Wireless 802.1X in Cisco ISE 300 Configuring an Authentication Policy in Cisco ISE 304 Configuring an Authorization Policy in Cisco ISE 305 Confirming Functionality of RADIUS Authentication on Wireless 308 Confirming Functionality of RADIUS Authentication for Wired 802.1X 312 RADIUS Configuration for AnyConnect VPN with Duo MFA 315 Configuring Duo Authentication Proxy 317 Configuring AD Sync in Duo Admin Panel 319 Encrypting Passwords in Duo Authentication Proxy 330 Enrolling Users with Cisco Duo 330 Configuring Cisco Duo as an External RADIUS Server in Cisco ISE 335 Creating the Policy Set for AnyConnect VPN in Cisco ISE 337 Meraki Dashboard Using Active Directory Authentication for AnyConnect VPN 342 Prerequisites 342 Configuring Active Directory Authentication 346 Confirming Functionality of Active Directory Configuration 348 Summary 350 Further Reading 350 Chapter 8 Wired and Wireless LAN Security 353 Access Control Lists and Firewalls 354 Access Control Lists (Meraki MS) 354 Meraki MR Firewall 357 Layer 3 Firewall 358 Layer 7 Firewall (Including NBAR Content Filtering) 360 Ethernet Port Security Features (Meraki MS) 362 MAC Allow Lists 362 Sticky MAC Allow Lists 366 Port Isolation 368 SecurePort 370 Dynamic ARP Inspection 373 Rogue DHCP Server Detection (Meraki MS) 376 Hardening Meraki MR and MS Devices (Local Status Page) 379 Zero Trust (Wired and Wireless Dot1x) 382 802.1X with Protected EAP (PEAP) on Wired and Wireless Networks 383 Configuring Wireless 802.1X with Protected EAP (PEAP) 383 Configuring Wired 802.1X with Protected EAP (PEAP) 388 Configuring 802.1X Using EAP-TLS on Wired and Wireless Networks 394 Configuring the Identity Source Sequence in Cisco ISE 396 Configuring the Policy Set in Cisco ISE 398 Generating a Client Certificate Using Cisco ISE 404 Exporting the Cisco ISE Certificate Authority Certificate 408 Testing Wireless 802.

1X with EAP-TLS 411 Testing Wired 802.1X with EAP-TLS 413 Sentry-Based 802.1X with EAP-TLS on Wired and Wireless Networks 416 Sentry Wi-Fi 416 Sentry LAN 419 Configuring MAC Authentication Bypass (MAB) 426 Configuring an Endpoint Identity Group in Cisco ISE 426 Creating a Policy Set in Cisco ISE for MAC Authentication Bypass 430 Configuring Wireless MAC Authentication Bypass in Meraki Dashboard 436 Configuring Wired MAC Authentication Bypass in Meraki Dashboard 439 Group Policies 443 Creating a Group Policy 443 Applying Group Policies 446 Applying Group Policies to a Client Manually 446 Applying Group Policies Using a Sentry Policy 449 Applying Group Policies Using RADIUS Attributes and Cisco ISE 452 Adaptive Policy and Security Group Tags (SGTs) 459 Enabling Adaptive Policy 460 Configuring Security Group Tag Propagation 461 Enabling SGT Propagation on Meraki MS Switches 461 Enabling SGT Propagation on Meraki MX Security Appliances 463 Creating Security Group Tags 466 Creating Adaptive Policy Groups in Meraki Dashboard 466 Creating Security Group Tags in Cisco ISE 469 Assigning Security Group Tags 472 Statically Assigning Security Group Tags to SSIDs 472 Statically Assigning Security Group Tags to Switch Ports 473 Assigning Security Group Tags Using Cisco ISE 475 Creating an Adaptive Policy 476 Testing Adaptive Policy 479 Client Laptop 480 POS Terminal 480 POS Server 483 Testing 483 Wireless Security 487 Summary 489 Notes 489 Further Reading 490 Chapter 9 Meraki MX and WAN Security 493 Meraki MX Introduction 493 Site-to-Site VPN (Auto VPN) 494 Site-to-Site VPN with Non-Meraki Devices 499 ThousandEyes 505 Remote-Access VPN 507 Client VPN 508 Sentry VPN 514 AnyConnect VPN 519 Confirming Functionality of AnyConnect VPN Access 524 Restricting Client VPN Traffic 529 Virtual MX (vMX) 531 Sizing a Virtual MX 531 Understanding Feature Parity with Meraki MX 532 Deploying Virtual MX in Amazon Web Services (AWS) 533 Creating a New vMX Network in Meraki Dashboard 533 Configuring the Default VPC in AWS 536 Deploying vMX in AWS 541 Viewing the New vMX in Meraki Dashboard 552 Summary 553 Notes 554 Further Reading 554 Chapter 10 Securing User Traffic 557 Comparison of Meraki''s Native Security Capabilities and Cisco Secure Connect 558 Native Meraki MX Capabilities 559 Layer 3 Firewall 559 Layer 7 Firewall 563 Geo-IP Firewall 566 Enabling Detailed Traffic Analysis 566 Config.