topic Re: 802.1x Switch Port configuration for Meraki Access Point in Network Access Control

802.1x Switch Port configuration for Meraki Access Point

latenaite2011 — Wed, 30 Nov 2022 21:53:46 GMT

Does anyone know what the current setting is for a 802.1x switch port configuration for the switch for a Meraki Access Point? Is it a configuration similar to A or B below (a regular trunk port for an Access Point). I have been B but not sure how it would trigger 802.1x without the 802.1x setting.

interface X/X
switchport mode trunk
switchport trunk allowed vlan x
ip access-group ACL_DEFAULT in
authentication event fail action next-method
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto

interface X/X

switch mode trunk

switch trunk allowed x

Also - as for the Windows supplicant client, is the 802.1x setting below required too for the Wifi settings - https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_Clients_for_802.1X_and_Meraki_Authentication and the WlAN AutoConfig service needs to be enabled/started automatically like a 802.1x setting?

thanks in advance!

(regular port for trunk for an Access Point)

Re: 802.1x Switch Port configuration for Meraki Access Point

ahollifield — Thu, 01 Dec 2022 20:26:43 GMT

Huh? Why aren't you performing 802.1X on the Merkai APs for the clients? Are you looking to authenticate the AP ITSELF via 802.1X or Clients?

Re: 802.1x Switch Port configuration for Meraki Access Point

latenaite2011 — Fri, 02 Dec 2022 08:05:11 GMT

Thanks Ahollifield for the response. I am looking to authenticate the clients connecting to the SSID through that first AP (one it works, we will deploy the rest). I thought I saw a different environment where there was not 802.1x config at all on it so wanted to check. It did work at one point with the 802.1x config on it and doesn't work after, even after we tried a different switch port and re-applied the setting here for the Wifi-adapter on the adapter: https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_Clients_for_802.1X_and_Meraki_Authentication.

So sounds like it should have the 802.1x configuration? We did do one thing on the ISE policy to add the domain computers as condition (in addition to the domain users) but after that didn't work, we removed the domain computers and after that it never worked again. Just wondering what would cause it not to work again and what the proper setting is also for domain computers and domain users as conditions with the Meraki APs. thanks in advance.

Re: 802.1x Switch Port configuration for Meraki Access Point

Karsten Iwen — Fri, 02 Dec 2022 08:29:28 GMT

If you want to authenticate the clients, then the Switchport needs a basic trink configuration allowing all VLANs that your Wireless users are assigned to in addition to the AP VLAN.

You will likely have multiple rules in your ISE policy. At leat one for the users (perhaps multiple based on department or other information) and one for the Domain computers. But this depends on your needs. You don't have to authenticate the machine or the user. But you can do both. Just make sure that the supplicant config matches your policy-config.

Re: 802.1x Switch Port configuration for Meraki Access Point

latenaite2011 — Sat, 10 Dec 2022 12:47:14 GMT

Thanks Karsten for the reply. I will try that and was going to ask about the computer authentication configuration.

Have a question that is somewhat related: Just wondering if there the following is supported if the option is checked to automatically use Windows Logon to avoid having users to relogin:

Uncheck Automatically use my Windows logon name

https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_Clients_for_802.1X_and_Meraki_Authentication

We tried it and it didn't work and was wondering that is why the documentation says to leave it unchecked.

thanks!

Re: 802.1x Switch Port configuration for Meraki Access Point

hslai — Sun, 11 Dec 2022 17:51:17 GMT

@latenaite2011 If your ISE RADIUS live log indicated an error, what is it? Otherwise, I think you need open a case with Cisco Meraki support.

Re: 802.1x Switch Port configuration for Meraki Access Point

thomas — Thu, 15 Dec 2022 23:02:32 GMT

I encourage you to watch our webinars including this one which shows you how to do it:

▶ Secure Cisco Meraki Wireless with ISE

00:00 Intro & Agenda
00:42 ISE Compatibility (RADIUS & TACACS protocols)
01:12 Meraki Hardware & Software Capabilities
01:58 Endpoint Authentication and Trust
02:55 Authentication & Network Access Security is a Spectrum
06:25 Meraki Dashboard
07:29 SSIDs and Access Control Options
08:40 Methods for Securing Meraki Wireless with ISE
09:47 MAC Authentication Bypass (MAB)
11:36 Meraki RADIUS Authentication Test
11:56 Demo: Meraki Dashboard SSIDs for Open Hotspot and ISE Configuration Overview
19:28 Centralized Web Authentication (CWA) with ISE vs Meraki Splash Page
22:50 Demo: Guest HotSpot WebAuth with Acceptable User Policy using GuestEndpoints Group Filtering
28:00 Pre-Shared Keys in Meraki (but not with ISE)
29:53 Enable iPSK in Meraki with ISE
30:16 Meraki Config Updates may take several minutes sometimes!
31:43 Identity PSK (iPSK) and RADIUS:Tunnel-Password(69)
32:45 Demo: iPSK for IOT Devices, IOT_WiFi Policy, and Authorization Profiles
41:24 IEEE 802.1X Overview
43:06 Certificate Authentication Profile (CAP) for certificate authentication
43:23 Endpoint Supplicant Provisioning
44:21 Meraki Systems Manager (SM)
44:29 Demo: 802.1X with corp SSID and ISE Configuration
46:35 Demo: 802.1X Username+Password
47:32 Demo: Meraki System Manager Payload for corp SSID and digital certificate
52:30 ISE Webinars and Resources

Re: 802.1x Switch Port configuration for Meraki Access Point

latenaite2011 — Tue, 20 Dec 2022 17:25:56 GMT

Thanks Thomas great video - Some help useful tips already and will try
during next sessions. thanks!

Re: 802.1x Switch Port configuration for Meraki Access Point

latenaite2011 — Wed, 28 Dec 2022 05:47:31 GMT

Hey Thomas,

I went through this video but didn't see anything for the switchport
configuration. What would the switch port configuration be for the
802.1x/MAB for the Meraki AP?

Thanks in advance!

Re: 802.1x Switch Port configuration for Meraki Access Point

jkyt@nnit.com — Wed, 18 Jan 2023 15:04:32 GMT

Hi @latenaite2011,

You want to authenticate Wireless clients connecting to that AP? If yes then the authentication happens on the wireless part of the network and you need to set it up in the Meraki Dashboard. On the switch you just need to set trunk port with native vlan (AP management vlan). Switch will not do any authentication - the clients are already authenticated when they connect to WiFi.

If you have enabled 802.1X authentication on the switch and would like set the authentication also for the AP port then it's little bit tricky. You need to authenticate only the AP and leave the bridged Wireless clients without authentication. So you need to use multi-host authentication mode. Also set the AP port to access mode and switch it to trunk via interface template during AP authentication. This is how I do it with ISE. I have Cisco switch and Meraki AP.

Br,

Jiri

Re: 802.1x Switch Port configuration for Meraki Access Point

m-leguyader — Fri, 29 Nov 2024 11:37:18 GMT

dear jkyt@nnit.com

Thank you for your answer, i am blocked at this step "Also set the AP port to access mode and switch it to trunk via interface template during AP authentication."

is it possble to share a sample of your conf please ?

Thank you very much

Re: 802.1x Switch Port configuration for Meraki Access Point

jkyt@nnit.com — Fri, 29 Nov 2024 13:28:06 GMT

Something like this (IBNS2.0+), not a perfect solution but I'm not aware of any better when you need flex connect:

#interface template assigned by ISE during AP authorization
#switch interface to trunk
template AP-Authz
switchport trunk native vlan 120
switchport mode trunk
!

#template with 802.1X settings for AP in flex connect mode - host-mode multi-host
template AP-WiredDot1xClosedAuth
dot1x pae authenticator
dot1x timeout tx-period 6
dot1x max-reauth-req 3
mab
access-session control-direction in
access-session host-mode multi-host
access-session closed
access-session port-control auto
authentication periodic
authentication timer reauthenticate server
service-policy type control subscriber WiredDot1xClosedAuth_MAB_1X
!

#interace configuration - assigning AP-WiredDot1xClosedAuth template
interface GigabitEthernet1/0/2
description *WIFI*
switchport access vlan 120
switchport mode access
device-tracking attach-policy IPDT
ip arp inspection trust
no logging event link-status
load-interval 30
no snmp trap link-status
source template AP-WiredDot1xClosedAuth
spanning-tree portfast trunk
spanning-tree guard root
end

Re: 802.1x Switch Port configuration for Meraki Access Point

m-leguyader — Fri, 29 Nov 2024 15:48:12 GMT

Thanks you very much

And on your ISE, you just enter in the authZ profile the interface template : AP-Authz ? no VLAN or DACL ?