Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

802.X deployment best practices - recommendations

MSakr
Getting noticed
a week ago
a week ago

802.X deployment best practices - recommendations

Hi All

We are looking to implement 802.X for MAC Bypass and or certificate based access.. the aim is to enforce access control over physically accessible / exposed to visitors ports.. 

Can someone from the Gurus here propose the best possible solution? we are an all Cisco Meraki..

Some concerns to address: Radius/ISE high availability , Cloud solution would be an option like ISE on cloud... if we go with ISE, what added benefits will it bring vs any SaaS based or other Radius.. 

The solution must support multiple Networks.. thus Org wide Radius will be used

 

Thanks

 

0 Kudos
Subscribe
6 Replies 6
benstokes
Conversationalist
Friday
Friday

@MSakr wrote:

Hi All

We are looking to implement 802.X for MAC Bypass and or certificate based access.. the aim is to enforce access control over physically accessible / exposed to visitors ports.. 

Can someone from the Gurus here propose the best possible solution? we are an all Cisco Meraki..

Some concerns to address: Radius/ISE high availability , Cloud solution would be an option like ISE on cloud... if we go with ISE, what added benefits will it bring vs any SaaS based or other Radius.. 

The solution must support multiple Networks.. thus Org wide Radius will be used

 

Thanks surcharge

 

Implementing 802.1X for MAC address bypass and certificate-based access in a Cisco Meraki environment can be effectively achieved by using Cisco Identity Services Engine (ISE) as your RADIUS server.

Subscribe
In response to benstokes
DarrenOC
Kind of a big deal
Kind of a big deal
Friday
Friday

So when he’s not captaining the England Cricket team he’s also a Network Engineer!

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
Subscribe
In response to benstokes
MSakr
Getting noticed
Friday
Friday

Hi

Yeah, I am aware of ISE.. but wanted to see if Meraki Systems Manager would do the trick or any recommendations before investing in an additional platform if going ISE, would a cloud option support HA.. as we don't want to lockout our users if one ISE instance fails ..

0 Kudos
Subscribe
In response to MSakr
Crocker
A model citizen
Friday
Friday

If the only thing you're interested in is basic 802.1X/Radius (and you're a Microsoft shop), you could also look at Microsoft's Network Policy Server (NPS). We had it available as part of our Microsoft contracting, and it was a breeze to set up and configure. For HA, we just set up 2 NPS servers and mirrored policy configurations between them, then pointed our Meraki stuff at both of them.

 

ISE only for Radius is major overkill, IMO. Now, if you're looking to move into a more zero-trust security approach and have the budget/time to fully build out/utilize ISE's full suite of features, it's hands-down one of the better options. But just for radius? That's pulling a wagon with a semi.

Subscribe
In response to MSakr
PhilipDAth
Kind of a big deal
Kind of a big deal
Friday
Friday

Meraki Systems Manager is too limited in this area to be used.

0 Kudos
Subscribe
PhilipDAth
Kind of a big deal
Kind of a big deal
Friday
Friday

There are two major solutions that spring to mind.

 

Cisco ISE.  It's expensive.  It can do everything you ask.  You'll need a three-node cluster to get full HA.

 

Microsoft NPS.  It can do 80% of what you want.  It's crap at MAC bypass - so exclude that as an option.  Instead require all devices that connect to support EAP-TLS 802.1x  and use pure certificate authentication.  This will preclude you from buying certain vendor products moving forward because they wont be able to meet your security standard of requiring EAP-TLS 802.1x support.  You need to standard strong on your security policy.

 

If you use NPS then lean on Meraki features like "Smart Ports" to be able to auto-recognise certain devices and allow them to connect without needing 802.1x.

https://documentation.meraki.com/MS/Port_and_VLAN_Configuration/SmartPorts

 

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.