802.X deployment best practices - recommendations

MSakr
Getting noticed

802.X deployment best practices - recommendations

Hi All

We are looking to implement 802.X for MAC Bypass and or certificate based access.. the aim is to enforce access control over physically accessible / exposed to visitors ports.. 

Can someone from the Gurus here propose the best possible solution? we are an all Cisco Meraki..

Some concerns to address: Radius/ISE high availability , Cloud solution would be an option like ISE on cloud... if we go with ISE, what added benefits will it bring vs any SaaS based or other Radius.. 

The solution must support multiple Networks.. thus Org wide Radius will be used

 

Thanks

 

5 Replies 5
DarrenOC
Kind of a big deal
Kind of a big deal

So when he’s not captaining the England Cricket team he’s also a Network Engineer!

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
MSakr
Getting noticed

Hi

Yeah, I am aware of ISE.. but wanted to see if Meraki Systems Manager would do the trick or any recommendations before investing in an additional platform if going ISE, would a cloud option support HA.. as we don't want to lockout our users if one ISE instance fails ..

Crocker
A model citizen

If the only thing you're interested in is basic 802.1X/Radius (and you're a Microsoft shop), you could also look at Microsoft's Network Policy Server (NPS). We had it available as part of our Microsoft contracting, and it was a breeze to set up and configure. For HA, we just set up 2 NPS servers and mirrored policy configurations between them, then pointed our Meraki stuff at both of them.

 

ISE only for Radius is major overkill, IMO. Now, if you're looking to move into a more zero-trust security approach and have the budget/time to fully build out/utilize ISE's full suite of features, it's hands-down one of the better options. But just for radius? That's pulling a wagon with a semi.

PhilipDAth
Kind of a big deal
Kind of a big deal

Meraki Systems Manager is too limited in this area to be used.

PhilipDAth
Kind of a big deal
Kind of a big deal

There are two major solutions that spring to mind.

 

Cisco ISE.  It's expensive.  It can do everything you ask.  You'll need a three-node cluster to get full HA.

 

Microsoft NPS.  It can do 80% of what you want.  It's crap at MAC bypass - so exclude that as an option.  Instead require all devices that connect to support EAP-TLS 802.1x  and use pure certificate authentication.  This will preclude you from buying certain vendor products moving forward because they wont be able to meet your security standard of requiring EAP-TLS 802.1x support.  You need to standard strong on your security policy.

 

If you use NPS then lean on Meraki features like "Smart Ports" to be able to auto-recognise certain devices and allow them to connect without needing 802.1x.

https://documentation.meraki.com/MS/Port_and_VLAN_Configuration/SmartPorts

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels