Meraki

Community

802.1x Push Ports to Guest Vlan

AhmedJawad
Getting noticed
‎Jul 19 2023 9:57 AM
‎Jul 19 2023 9:57 AM

802.1x Push Ports to Guest Vlan

Hi All, 

 

  I have MS Switches on 14.33.1

 

 MAB access policy below 

AhmedJawad_0-1689785611995.png

 

My requirement is to have a fail open " when there is an outage on ISE, the port need to set to open with no 802.1x" 

that is why I have my critical auth vlan as the data vlan. in my case is vlan 2 

 

My problem it has been for a long time now is that even though ISE is sending Radius accept "I see the logs on ISE " , Meraki port is getting put in guest vlan 

 

AhmedJawad_1-1689785818078.png

 

 

0 Kudos
10 Replies 10
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jul 19 2023 10:04 AM
‎Jul 19 2023 10:04 AM

It the right policy been applied?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
AhmedJawad
Getting noticed
‎Jul 19 2023 10:18 AM
‎Jul 19 2023 10:18 AM

YES ! 

0 Kudos
In response to AhmedJawad
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jul 19 2023 6:39 PM
‎Jul 19 2023 6:39 PM

How is your policy result configured?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
AhmedJawad
Getting noticed
‎Jul 20 2023 6:44 AM
‎Jul 20 2023 6:44 AM

Do you mean the Cisco ISE policy ? 

0 Kudos
In response to AhmedJawad
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jul 20 2023 6:49 AM
‎Jul 20 2023 6:49 AM

Nope, the authorization profile. Under Ploicy > Policy Elements > Results > Authorization >  Authorization Profiles

 

 

 

 

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
AhmedJawad
Getting noticed
‎Jul 20 2023 1:04 PM
‎Jul 20 2023 1:04 PM

Below 

AhmedJawad_0-1689883429485.png

AhmedJawad_1-1689883451606.png

 

0 Kudos
In response to AhmedJawad
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jul 20 2023 1:13 PM
‎Jul 20 2023 1:13 PM

If you want a specific VLAN why are you not overriding the VLAN on your Authorization Profile?

 

Dynamic VLAN Assignment
MS switches can dynamically assign a VLAN to a client device by configuring the switchport to use the VLAN ID received via the RADIUS attribute Tunnel-Pvt-Group-ID. It may be necessary to perform dynamic VLAN assignment on a per computer or per user basis. This can be done on your wired network via 802.1X authentication (RADIUS).

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
AhmedJawad
Getting noticed
‎Jul 20 2023 3:25 PM
‎Jul 20 2023 3:25 PM

Im not trying to move the Vlan, 

the port needs to stay in its Vlan 2 when it gets Radius accept. 

but in my case, the switch is sending the port to the guest vlan instead 

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jul 19 2023 1:27 PM
‎Jul 19 2023 1:27 PM

I don't know the answer.

 

It looks like you have to have RADIUS testing enabled, and if that fails, it triggers the critical auth vlan.

https://documentation.meraki.com/MS/Access_Control/MS_Switch_Access_Policies_(802.1X)#Other_RADIUS_F... 

In response to PhilipDAth
AhmedJawad
Getting noticed
‎Jul 20 2023 6:44 AM
‎Jul 20 2023 6:44 AM

My critical auth Vlan is the same as my data vlan. we had some issues on the ISE before but there was no impact on the port. 

my issue is the guest vlan 

 

thank you! 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2025 Cisco Systems, Inc.