cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9296
Views
21
Helpful
12
Replies

802.1x Switch Port configuration for Meraki Access Point

latenaite2011
Level 4
Level 4

Does anyone know what the current setting is for a 802.1x switch port configuration for the switch for a Meraki Access Point?  Is it a configuration similar to A or B below (a regular trunk port for an Access Point).  I have been B but not sure how it would trigger 802.1x without the 802.1x setting.  

a)

interface X/X
switchport mode trunk
switchport trunk allowed vlan x
ip access-group ACL_DEFAULT in
authentication event fail action next-method
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto

or 

b)

interface X/X

  switch mode trunk

  switch trunk allowed x

 

Also - as for the Windows supplicant client, is the 802.1x setting below required too for the Wifi settings - https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_Clients_for_802.1X_and_Meraki_Authentication and the WlAN AutoConfig service needs to be enabled/started automatically like a 802.1x setting?

 

thanks in advance! 

 

(regular port for trunk for an Access Point)

 

 

12 Replies 12

Huh?  Why aren't you performing 802.1X on the Merkai APs for the clients?  Are you looking to authenticate the AP ITSELF via 802.1X or Clients?

Thanks Ahollifield for the response.  I am looking to authenticate the clients connecting to the SSID through that first AP (one it works, we will deploy the rest). I thought I saw a different environment where there was not 802.1x config at all on it so wanted to check.  It did work at one point with the 802.1x config on it and doesn't work after, even after we tried a different switch port and re-applied the setting here for the Wifi-adapter on the adapter:  https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_Clients_for_802.1X_and_Meraki_Authentication.

So sounds like it should have the 802.1x configuration? We did do one thing on the ISE policy to add the domain computers as condition (in addition to the domain users) but after that didn't work, we removed the domain computers and after that it never worked again.  Just wondering what would cause it not to work again and what the proper setting is also for domain computers and domain users as conditions with the Meraki APs.  thanks in advance.

If you want to authenticate the clients, then the Switchport needs a basic trink configuration allowing all VLANs that your Wireless users are assigned to in addition to the AP VLAN.

You will likely have multiple rules in your ISE policy. At leat one for the users (perhaps multiple based on department or other information) and one for the Domain computers. But this depends on your needs. You don't have to authenticate the machine or the user. But you can do both. Just make sure that the supplicant config matches your policy-config.

Thanks Karsten for the reply.  I will try that and was going to ask about the computer authentication configuration.  

Have a question that is somewhat related:  Just wondering if there the following is supported if the option is checked to automatically use Windows Logon to avoid having users to relogin:

  1. Uncheck Automatically use my Windows logon name

https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_Clients_for_802.1X_and_Meraki_Authentication

We tried it and it didn't work and was wondering that is why the documentation says to leave it unchecked.

 

thanks!

 

I encourage you to watch our webinars including this one which shows you how to do it:

Secure Cisco Meraki Wireless with ISE

00:00 Intro & Agenda
00:42 ISE Compatibility (RADIUS & TACACS protocols)
01:12 Meraki Hardware & Software Capabilities
01:58 Endpoint Authentication and Trust
02:55 Authentication & Network Access Security is a Spectrum
06:25 Meraki Dashboard
07:29 SSIDs and Access Control Options
08:40 Methods for Securing Meraki Wireless with ISE
09:47 MAC Authentication Bypass (MAB)
11:36 Meraki RADIUS Authentication Test
11:56 Demo: Meraki Dashboard SSIDs for Open Hotspot and ISE Configuration Overview
19:28 Centralized Web Authentication (CWA) with ISE vs Meraki Splash Page
22:50 Demo: Guest HotSpot WebAuth with Acceptable User Policy using GuestEndpoints Group Filtering
28:00 Pre-Shared Keys in Meraki (but not with ISE)
29:53 Enable iPSK in Meraki with ISE
30:16 Meraki Config Updates may take several minutes sometimes!
31:43 Identity PSK (iPSK) and RADIUS:Tunnel-Password(69)
32:45 Demo: iPSK for IOT Devices, IOT_WiFi Policy, and Authorization Profiles
41:24 IEEE 802.1X Overview
43:06 Certificate Authentication Profile (CAP) for certificate authentication
43:23 Endpoint Supplicant Provisioning
44:21 Meraki Systems Manager (SM)
44:29 Demo: 802.1X with corp SSID and ISE Configuration
46:35 Demo: 802.1X Username+Password
47:32 Demo: Meraki System Manager Payload for corp SSID and digital certificate
52:30 ISE Webinars and Resources

Thanks Thomas great video - Some help useful tips already and will try
during next sessions. thanks!

Hey Thomas,

I went through this video but didn't see anything for the switchport
configuration. What would the switch port configuration be for the
802.1x/MAB for the Meraki AP?

Thanks in advance!

hslai
Cisco Employee
Cisco Employee

@latenaite2011 If your ISE RADIUS live log indicated an error, what is it? Otherwise, I think you need open a case with Cisco Meraki support.

jkyt@nnit.com
Level 1
Level 1

Hi @latenaite2011,

You want to authenticate Wireless clients connecting to that AP? If yes then the authentication happens on the wireless part of the network and you need to set it up in the Meraki Dashboard. On the switch you just need to set trunk port with native vlan (AP management vlan). Switch will not do any authentication - the clients are already authenticated when they connect to WiFi.

If you have enabled 802.1X authentication on the switch and would like set the authentication also for the AP port then it's little bit tricky. You need to authenticate only the AP and leave the bridged Wireless clients without authentication. So you need to use multi-host authentication mode. Also set the AP port to access mode and switch it to trunk via interface template during AP authentication. This is how I do it with ISE. I have Cisco switch and Meraki AP.

Br,

Jiri

m-leguyader
Level 1
Level 1

dear jkyt@nnit.com 

Thank you for your answer, i am blocked at this step "Also set the AP port to access mode and switch it to trunk via interface template during AP authentication."

is it possble to share a sample of your conf please ?

Thank you very much 

Something like this (IBNS2.0+), not a perfect solution but I'm not aware of any better when you need flex connect:

#interface template assigned by ISE during AP authorization
#switch interface to trunk
template AP-Authz
 switchport trunk native vlan 120
 switchport mode trunk
!

#template with 802.1X settings for AP in flex connect mode - host-mode multi-host
template AP-WiredDot1xClosedAuth
 dot1x pae authenticator
 dot1x timeout tx-period 6
 dot1x max-reauth-req 3
 mab
 access-session control-direction in
 access-session host-mode multi-host
 access-session closed
 access-session port-control auto
 authentication periodic
 authentication timer reauthenticate server
 service-policy type control subscriber WiredDot1xClosedAuth_MAB_1X
!

#interace configuration - assigning AP-WiredDot1xClosedAuth template
interface GigabitEthernet1/0/2
 description *WIFI*
 switchport access vlan 120
 switchport mode access
 device-tracking attach-policy IPDT
 ip arp inspection trust
 no logging event link-status
 load-interval 30
 no snmp trap link-status
 source template AP-WiredDot1xClosedAuth
 spanning-tree portfast trunk
 spanning-tree guard root
end

Thanks you very much 

And on your ISE, you just enter in the authZ profile the interface template : AP-Authz ? no VLAN or DACL ?