Meraki

Community

MX68 and 802.1x

ali_abbass85
Getting noticed
‎May 28 2019 11:03 AM
‎May 28 2019 11:03 AM

MX68 and 802.1x

Hello everyone

We had a case of deploying very small branches and we opt for using the Meraki MX68 as a solution, with many sites without MS switches.
During our study we looked at the MX65, however we knew that this will be EoS, and the replacement would be the MX68, we bought MX68 for all these branches.
The issue is that we require the 802.1x Wired LAN authentication option on the MX68, which seems to be dropped by Meraki, the MX65/MX64 fully supports the 802.1x.

I raised a ticket and could not have even a little support from the Meraki team, tomorrow I will be calling them and giving them some shouts.

Has anyone required the 802.1x on the MX68? did Meraki enable this for you?

0 Kudos
31 Replies 31
SoCalRacer
Kind of a big deal
‎May 28 2019 11:20 AM
‎May 28 2019 11:20 AM

https://meraki.cisco.com/lib/pdf/meraki_datasheet_mx.pdf

 

Per this doc the MX65 does not support 802.1x. You need the wireless model of 65 or 68 (MX65W, MX68W, or MX68CW)

0 Kudos
TimBisel
Getting noticed
‎May 28 2019 12:02 PM
‎May 28 2019 12:02 PM

I mean it sucks and maybe you can call your rep and see if you can get them swapped out or something to save some face with your company. But man I got to call you out for being that guy who is in a industry where we are always getting blamed for everything and people screaming at us because its broken and you have the nerve to do that to another IT professional. Man you know full well who ever you are going to call and "Give some shouts" to had nothing to do with the design change, the possibility of you swapping it out for the hardware you need, any policy that will prohibit that from happening, how long it took you to realize it wont work, and your blind ignorance and laziness of not checking the documentation before making an order. Seriously man not cool.
In response to TimBisel
ali_abbass85
Getting noticed
‎May 28 2019 11:33 PM
‎May 28 2019 11:33 PM

When I raise a ticket to a support desk, I expect a reasonable answer, not just saying MX68 does not support 802.1x. If Meraki would say MX68 is a replacement for MX65, then you should expect that all the features to be available, if not this should be mentioned somewhere, I did read all the documentation for MX65 and I know what I am taking about. Such comment from you does not help in any way.
PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 28 2019 12:04 PM
‎May 28 2019 12:04 PM

The 802.1x support has only ever been for wireless connections.  Never for wired connections.

0 Kudos
In response to PhilipDAth
ww
Kind of a big deal
Kind of a big deal
‎May 28 2019 12:11 PM
‎May 28 2019 12:11 PM

@PhilipDAth   you can enable it on the interface of the mx 64 and 65 if you set it to access mode. for the 67 and 68 this function should work in the near future (with beta firmware)

0 Kudos
In response to ww
PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 28 2019 12:21 PM
‎May 28 2019 12:21 PM

I stand corrected.  I just tried it and you can enable 802.1x on an MX65 wired port.

0 Kudos
In response to ww
ali_abbass85
Getting noticed
‎May 28 2019 11:35 PM
‎May 28 2019 11:35 PM

Thanks @ww for your answer, do you have any reference stating that this will be available in a beta firmware? I can wait for it, or even test it in production.
0 Kudos
In response to ali_abbass85
SoCalRacer
Kind of a big deal
‎May 28 2019 11:42 PM
‎May 28 2019 11:42 PM

If I'm reading this correctly then it should already be available.

 

https://documentation.meraki.com/MX/Access_Control_and_Splash_Page/MX_Access_Policies_(802.1X).

 

 

0 Kudos
In response to SoCalRacer
ali_abbass85
Getting noticed
‎May 29 2019 12:07 AM
‎May 29 2019 12:07 AM

@SoCalRacer , yes it is available for MX64/65 and not for MX67/68:
"MX64(W) and MX65(W) Security Appliances as well as Z3(C) Teleworker Gateways support port-based access policies using 802.1X. This feature can be leveraged for deployments where extra authentication is desired for devices that are connecting to the MX."
0 Kudos
In response to ali_abbass85
RaphaelL
Kind of a big deal
Kind of a big deal
‎May 29 2019 4:57 AM
‎May 29 2019 4:57 AM

Well , 

 

We have over 300 MX68 with 802.1X enabled and over 1200 MX65.  We are running the 14.39 firmware.

0 Kudos
In response to RaphaelL
SoCalRacer
Kind of a big deal
‎May 29 2019 7:48 AM
‎May 29 2019 7:48 AM

I have MX67s on 14.39 and this change is not available. I also looked through the firmware release notes and I didn't see one that indicated it was turned on. Also alot of the release notes seems to show they are having issues with this on the 64/65 so I wonder if they is delaying roll out.

0 Kudos
In response to SoCalRacer
RaphaelL
Kind of a big deal
Kind of a big deal
‎May 29 2019 10:23 AM
‎May 29 2019 10:23 AM

Here is a screenshot. This is a template for our MX65-68. Access policy is hybrid ( MAB and 802.1x ) and it is working like a charm 

 

8021x.png

In response to SoCalRacer
SoCalRacer
Kind of a big deal
‎May 29 2019 10:23 AM
‎May 29 2019 10:23 AM

Confirmed with support 802.1x wired is not available on MX67/MX67W/MX67C/MX68/MX68W/MX68CW up to firmware 15.13 , which is the highest beta firmware currently. It is is set to be implemented, but you will have to wait to watch release notes on the new beta firmware.

0 Kudos
In response to SoCalRacer
RaphaelL
Kind of a big deal
Kind of a big deal
‎May 29 2019 10:55 AM
‎May 29 2019 10:55 AM

Ah ! I think we had our Meraki Rep to enable this feature for us.

 

It is the only explanation that I can give for the moment.

 

 

 

EDIT : Tested and ... not working with 14.39 firmware and MX67/MX68 series. Seems like you are right about it. I will test the latest version and report the results

0 Kudos
In response to RaphaelL
RaphaelL
Kind of a big deal
Kind of a big deal
‎May 29 2019 12:30 PM
‎May 29 2019 12:30 PM

Even with the latest firmware it is not available  : 

 

 

Support : 

Wired 802.1x is planned for the MX67/68 platform, however, it is unfortunately, not available at this time. Support does not have an ETA of when this will be available and what firmware build will include this feature. Let us know if you have any further questions.

In response to RaphaelL
Aaron_Wilson
A model citizen
‎May 29 2019 7:00 PM
‎May 29 2019 7:00 PM

I asked about this when I first got the MX67/68 last year. It's one of the huge oversights in my opinion. I can't believe they did not have port security in a brand new device superseding an older model which did have the feature.

This really needs to be enabled.
In response to Aaron_Wilson
ali_abbass85
Getting noticed
‎May 29 2019 11:33 PM
‎May 29 2019 11:33 PM

@Aaron_Wilson, this is exactly what I am referring to, the MX is a security device after all, they cannot drop a feature which would secure LAN ports, when I contacted support they never provided a solid answer, they just said this feature is not available.
I am with you this should really be enabled.
0 Kudos
In response to ali_abbass85
Aaron_Wilson
A model citizen
‎May 30 2019 2:34 AM
‎May 30 2019 2:34 AM

Oh, here is the reply I received back in Nov 2018, similar to others:

"Thank you for contacting Cisco Meraki Technical Support!

Aaron, the MX67/68 series currently doesn't support port-based access policies using 802.1x. The feature set will be addressed in a future firmware upgrade when tested and released by our Development team. Let me know if you have any questions.
Thanks!"
0 Kudos
In response to Aaron_Wilson
ali_abbass85
Getting noticed
‎May 30 2019 2:51 AM
‎May 30 2019 2:51 AM

Below is what I received, and it does not give any hint that this would be enabled in the future, but again, which future are we talking about, if you raised this 6 month back and till no there is no plan for it.

"The 802.1X feature is MX model specific and it is not possible to enable it on MX68 and MX84.
Unfortunately there is no way to enable it."
0 Kudos
In response to Aaron_Wilson
Aaron_Wilson
A model citizen
‎Aug 12 2019 4:59 PM
‎Aug 12 2019 4:59 PM

Just a heads up. I tested port security on my MX68W and it was horrible. Countless errors in the dashboard and the MX rebooted every couple hours. Had to roll back to 14.x to make it "normal" again.
0 Kudos
In response to Aaron_Wilson
ali_abbass85
Getting noticed
‎Aug 21 2019 3:51 AM
‎Aug 21 2019 3:51 AM

An update on this post.
I contacted a Meraki Architect and he enabled the 802.1x for our dashboard on the MX68 devices, however he mentioned that I need to have the latest beta version and this is only for Lab testing.

We tested this in our lab and it seems to be working, I will not be deploying this to our production environment until this is official announced in the next 3 month (as per the Meraki Architect).

 

0 Kudos
In response to ali_abbass85
Aaron_Wilson
A model citizen
‎Aug 23 2019 8:30 AM
‎Aug 23 2019 8:30 AM

Was that a MX68 or 68W?
0 Kudos
In response to Aaron_Wilson
ali_abbass85
Getting noticed
‎Aug 23 2019 8:53 PM
‎Aug 23 2019 8:53 PM

It is an MX68, the subject is about wired port security.

0 Kudos
In response to ali_abbass85
Aaron_Wilson
A model citizen
‎Aug 24 2019 4:11 AM
‎Aug 24 2019 4:11 AM

MX68W has wired ports too 😉
0 Kudos
In response to RaphaelL
ali_abbass85
Getting noticed
‎May 29 2019 11:35 PM
‎May 29 2019 11:35 PM

@RaphaelL , I tested the latest beta firmware before posting here, it is not there, but if you had a feedback from support this is planned for the MX67/68 then, what we can only do is wait. I believe this is an important feature which should be kept.
0 Kudos
In response to ali_abbass85
DavidWitt
Conversationalist
‎Jan 16 2020 8:06 PM
‎Jan 16 2020 8:06 PM

I spoke with Meraki support this week about this feature missing on the MX68CW.  They indicated that the feature was pulled due to a bug that would send the MX into a reboot loop.  After some back and forth with support they indicated that the patch was actually available in the latest published beta firmware (15.23 - Released 1/6/2020).  I had to update to the indicated beta firmware and recontact support so they could turn a backend knob to re-enable the feature.  Fortunately this did restore the functionally and I was able to successfully test/validate dot1x on this platform.

In response to DavidWitt
Khue
New here
‎Mar 30 2020 6:40 PM
‎Mar 30 2020 6:40 PM

Hey just wanted to follow up on this thread. I am currently running 14.40 across the board. My Z3s have been doing 802.1x quite well for at least a few months now. I just got some mx68s and it appears like they are NOT doing 802.1x. Has there been an official firmware release that supports 802.1x for the mx68s? 

0 Kudos
In response to Khue
Aaron_Wilson
A model citizen
‎Mar 31 2020 4:25 AM
‎Mar 31 2020 4:25 AM

@Khue- you will need to go to the 15.x train. It became stable for me after some more recent code versions, I'm on 15.27 right now.

0 Kudos
SopheakMang
Building a reputation
‎Mar 31 2020 8:22 AM
‎Mar 31 2020 8:22 AM

You have tried this with cisco ISE yet ?

0 Kudos
In response to SopheakMang
Aaron_Wilson
A model citizen
‎Mar 31 2020 8:32 AM
‎Mar 31 2020 8:32 AM

Yup. Running hybrid auth on the Meraki port and pointing to ISE for radius auth.
0 Kudos
JamesFlorance
Here to help
‎Mar 31 2020 12:36 PM
‎Mar 31 2020 12:36 PM

We had issues on the 15.x train. We had to roll back to 14.4.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.