Hello community,
I have a very specific problem. We migrated 80% of our access switches to Meraki 225-48LP. MAC computers are not getting 802.1x authenticated when connected with wire to MS swithes. They work fine on old cisco SW and also on wifi. I also have Windows clients that work fine wired connected.
These are the logs from ISE when failing:
| 15016 | Selected Authorization Profile - STG170_HELPDESK,HRZ_U-HD | |
| 22081 | Max sessions policy passed | |
| 22080 | New accounting session created in Session cache | |
| 12705 | LEAP authentication passed; Continuing protocol | |
| 11503 | Prepared EAP-Success | |
| 11006 | Returned RADIUS Access-Challenge | |
| 5440 | Endpoint abandoned EAP session and started new ( |
and this is the log when working (connected to old cisco sw)
| 15016 | Selected Authorization Profile - STG170_HELPDESK,HRZ_U-HD | |
| 22081 | Max sessions policy passed | |
| 22080 | New accounting session created in Session cache | |
| 12705 | LEAP authentication passed; Continuing protocol | |
| 11503 | Prepared EAP-Success | |
| 11006 | Returned RADIUS Access-Challenge | |
| 11001 | Received RADIUS Access-Request | |
| 11018 | RADIUS is re-using an existing session | |
| 12704 | LEAP completed. Sent EAP-Response containing LEAP challenge-response and cisco-av-pair containing LEAP session-key | |
| 11002 | Returned RADIUS Access-Accept |
Another strange thing is in Meraki logs I see EAP success received but the port still appears in "Not forwarding due to access policy" .
| Mar 3 12:13:38 | roish-mac | 802.1X EAP success | port: 25, identity: roisht-mac$@domain.corp |
| Mar 3 12:13:38 | roish-mac | 802.1X deauthentication | port: 25 |
| Mar 3 12:12:38 | roish-mac | 802.1X EAP success | port: 25, identity: roisht-mac$@domain.corp |
| Mar 3 12:12:38 | roish-mac | 802.1X deauthentication | port: 25 |
and a packet capture on meraki switchport where the MAC is connected:
