Meraki

RaphaelL · ‎May 30 2022

Hi ,

We have a setup with MX68 with all ports configured with Hybrid Auth ( 802.1X and MAB ). In certain regions , we often lose power and the MX will reboot.

Most of the time ( 90% of the time ) , the devices directly connected to the MX will be up before the MX has time to get the VPN tunnels up. Since the VPN tunnel is not up yet , the 802.1X and MAB auth fails. On the MX there is a 802.1X reauth timer of 1 hour , so the devices that supports 802.1X will re-auth after 1 hour and will come up online. ( not ideal but still better than nothing ). The MX do not support CoA ( yet ? ) so we can't do anything to force a re-auth

However , many devices do not support .1X and will fail to auth and will never re-auth unless you do a port cycle ( which we can't do on a MX ) or you unplug the ethernet cable.

Do you guys experience this ? Any wild suggestion ?

We can't disable the port because the MX are in a big template with many other sites , we can't place a small 8 port switch ( too expensive , too many sites ). I feel like I'm out of options ( simple ones though )

Thanks ,

PhilipDAth · ‎May 30 2022

That is tricky.

Could you ask Meraki support to increase the RADIUS timeout timer, to be longer than the time it takes the VPN to come up? For example, 3 attempts 60s apart.

RaphaelL · ‎May 31 2022

Good idea ! However , Meraki has stated that the re-auth timer is a fixed 1h because of hardware limitation.

I would be great to adapt the firmware to reprocess the auth either on a timer like you suggested or via the dashboard ( eg : re-auth all clients in the ''Tools'' tab or something like that )

PhilipDAth · ‎May 31 2022

>Good idea ! However , Meraki has stated that the re-auth timer is a fixed 1h because of hardware limitation.

That's why I think having the RADIUS timeout adjusted would be the easiest thing to try.

Meraki

Community

MX and Hybrid Auth

MX and Hybrid Auth