MAC authentication on MX67

Here to help

MAC authentication on MX67

I have an MX67 which has a VPN tunnel to an MX84. I want to authenticate devices onto the MX67 ports based upon their MAC address. I already have devices authenticated by dot1x supported by an ISE over the tunnel. I cannot use MAB to authenticate the non-dot1x devices because MAB on an MX67 does not work with the ISE, which requres the "call-check" attribute and which the MX does not supply.


It has been suggested that I could set up a "deny-any-any" firewall rule on the MX67, then whitelist the MAC addresses of the required clients. However, I don't see a way of doing that without disabling the ports that are successfully authenticating with dot1x, and as a result having to reconfigure the ports that were authenticating with dot1x to authenticate with whitelisted MAC addresses, which is inferior and less secure than dot1x.


Have I missunderstood the situation, or does my description and diagnosis above sound right?





Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.