We have Meraki MRs and MXs throughout the state of California and it's working fine, but we're looking at implementing certificate based 802.1x authentication and it's working at our remote sites, which have MXs and DIA circuits, and our testing there is successful, but not so much at our HQ. Our HQ has a point to point gigabit ethernet circuit and has a direct connection to the datacenter, which is also where all of our devices tunnel into to gain egress to the internet. At HQ, there is no MX since it's a direct fiber connection to the AT&T switch and on the other side of that 10G interface is our core switch.

That being said, we have MRs and MS switches at HQ, but no MX and 802.1x auth is not working. We've been banging our heads against the wall trying to figure this out, but I'm wondering, is there some kind of encapsulation that we're missing out on and that's why it's not working? We can verify routes to and from the NPS server, the clients, and MRs from all directions. We've confirmed via packet captures and logs that the attempts are there. But we're running out of things to try. Does anyone know if we need an MX at our HQ building to make this work?