MAC authentication on MX67

Jimbo1
Here to help

MAC authentication on MX67

I have an MX67 which has a VPN tunnel to an MX84. I want to authenticate devices onto the MX67 ports based upon their MAC address. I already have devices authenticated by dot1x supported by an ISE over the tunnel. I cannot use MAB to authenticate the non-dot1x devices because MAB on an MX67 does not work with the ISE, which requres the "call-check" attribute and which the MX does not supply.

 

It has been suggested that I could set up a "deny-any-any" firewall rule on the MX67, then whitelist the MAC addresses of the required clients. However, I don't see a way of doing that without disabling the ports that are successfully authenticating with dot1x, and as a result having to reconfigure the ports that were authenticating with dot1x to authenticate with whitelisted MAC addresses, which is inferior and less secure than dot1x.

 

Have I missunderstood the situation, or does my description and diagnosis above sound right?

 

Thanks

 

Jim

0 REPLIES 0
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels