06-29-2024 09:34 AM
Got a weird one.
While removing authentication open from the cisco switchport configs on our meraki access points we are noticing windows 10 clients trying mab on that switchport after a successful wireless 802.1x auth on ise via the access point. They then do not get an IP address because of this. If I add their wifi mac to a mab profile everything works.
I am testing on windows 11 clients as well, same eap-tls gpo and they are auth fine wireless 802.1x and dont try to do mab on the ap switchport.
Ive compared everything policy-wise and am not sure why the windows 10 clients are trying mab on the ap switchport.
ISE 3.1.0.518 patch 4,6,8
06-30-2024 07:16 AM
oops my bad windows 11 is doing it as well.
07-01-2024 03:34 PM
You use CoA ? Are you sure the policy of guest is not conflict with wifi client
MHM
07-03-2024 07:10 AM
Im not sure what you are asking. the clients authenticate using 802,1x on the access point just fine but then the switchport that the access point is connected to tries to authenticate them via mab after that.
07-03-2024 07:33 AM
@jrmcfarland sounds like your APs are configured using Flexconnect and the switchport interface is configured to authenticate every MAC address (multi-auth?).
You could perhaps configure the switchport interface host-mode in "multi-host", which requires that at least one MAC address must authenticate successfully (which would be the AP), the other MAC addresses of the wireless clients would not be required to authenticate.
Or do not use Flexconnect and tunnel the user traffic to the controller, then these devices would not be seen by the switch.
You could look at your Wired 802.1X policy set to work out why these clients cannot authenticate, but it is pointless authenticating them again via the Wired policy. Try the first 2 options above.
07-03-2024 08:41 AM
well my solution is what it is. I took all of my mac addresses that are part of AD and imported them into a static mac group and have the mab policy reference it. I was expecting something special to handle macs on the switchport for the ap but this works and frankly im a bit disappointed with the lack of examples and documentation. 802.1x works like it did before and I no longer get a deny on the port due to mab
07-03-2024 03:25 PM - edited 07-03-2024 03:26 PM
The switchport connecting to a FlexConnect or cloud-managed AP (like Meraki) is typically configured as a trunk port to provide for dynamic VLAN assignment. Trunk ports do not support MAB/802.1x, so it is typically understood that this is not a NAC-enabled switchport.
EAP is a layer 2 protocol, so the EAP communication happens directly between the client and AP. There is no method for the AP to 'pass-through' the 802.1x authentication to another upstream authenticator (like the switchport).
Some customers have used Auto SmartPort macros to change the configuration on a NAC-enabled switchport to a trunk when a Cisco Flex AP is connected. You might try using a similar configuration with the Meraki AP.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide