Access Manager - switch port policy question

Solved
TimothyM
Conversationalist

Access Manager - switch port policy question

I am working on securing our physical switch ports (using 802.1x), I was originally planning on using RADIUS to authenticate our already existing computer certificates.  But I watched this fantastic demo from Jaideep Kukunuru, and he went over certificate based authentication through Meraki access manager...where you import your CA certificate chain into access manager, and you can create a rule to call upon specific fields (like subject common name) that will read the certificate on the endpoint.   (Demo link - On-Demand Session Library - Cisco Live On-Demand - Cisco

 

So I did that, I imported my CA certificate (intermediate and root) inside of access manager.  I then setup a rule that uses the issuer - common name (for testing) as an allow rule.

 

I then went into the switch -- > Configure -- > Access policies and created a new policy using "access manager" as the authentication method, Host mode "Single-Host", and "Hybrid authentication", as I will use MAB to authenticate our phone vlan.

 

I then went to the switch port, and added this new access policy to the port.

 

my problem...is it does not authenticate.   However per the demo by Jaideep Kukunuru, it should def. work.   Per the demo the Authenticated users is optional and not required.   I am doing a POC on this and just stuck.   I tried opening tickets with meraki support but getting different answers, as this is a newer feature.   I am reaching out to the community for any assistance and would love some feedback.

 

Thank you, I know this is a long post, I tried to keep it trim as I can go into really deep detail...if you need more detail to help me out let me know in your comments.   This is my only priority and I have been spinning my wheels the past couple days trying to get this working.

1 Accepted Solution
TimothyM
Conversationalist

I have moved on beyond access manager, after hours and hours of trying to get the certificate based authentication to work...it failed.  my support tickets have gone silent and I dont mind testing this new feature but it is broken.  I appreciate everyone from this thread on attempting to help but its not functional.  Its a pipe dream to get 802.1x deployed and although Jaideep Kukunuru gave a great presentation back at cisco live... but its not real.  Its a fake demo without any proof of working properly.  I have exhausted all my resources on tireless testing and completely discouraged with this experience.  Meraki support offered no solution nor would they escalate my issue.

View solution in original post

6 Replies 6
GIdenJoe
Kind of a big deal
Kind of a big deal

Does the session log provide any details?  Or does the switch not even start with the EAP messages?

PhilipDAth
Kind of a big deal
Kind of a big deal

+1 to @GIdenJoe .  Check this out:

PhilipDAth_0-1755206211250.png

 

Also, have a look at these setup guides:

https://documentation.meraki.com/Access_Manager/Access_Manager_Configuration_Guides

 

PhilipDAth
Kind of a big deal
Kind of a big deal

Also under certificates, make sure your root CA is configured to be a trust anchor.

PhilipDAth_0-1755206325050.png

 

Use the three dots on the right hand side and ...

PhilipDAth_1-1755206363528.png

 

TimothyM
Conversationalist

Thank you for your replies, (my apologies I had some other time sensitive issues and could not reply sooner)

 

first I am using MS225 switches, these do not support adaptive policy...but do support Access rules.  I am not leveraging the policies as I am unable to do so.

 

the switch name is SW255 - so in the meraki portal under 'switching' -- > 'configure'  -- > 'access policies' this is where I defined my access policy 'Test 802.1x wired', the authentication method is Access manager, host mode 'single-host' (recommended by the demo video, the the access policy type I set to 'Hybrid authentication' as I will use MAB for the ip phones and I will input the mac addresses into meraki (in my lab environment I ONLY have a laptop setup).

access_policy1.jpg

next comes the certificate, I imported and merged our root and 2 intermediate certificates (as we have 2 CA certificates), I initially had the intermediate certs set to active and the anchor, but per your recommendation I have set the root cert as the anchor.   below are the details (names have been edited)

Snag_171fbe1.png

 

Snag_172ae68.png

 

next is the access rules - inside access manager -- > policies -- > Access rules, I created a rule called "testing1", where I associated the name that contained "certroot" to allow access

Snag_1746aed.png

access_rule2.jpg

 last step was assigning the port the access policy "Test 802.1x wired" , on SW255 port 4

Snag_175585a.png

 

below is the event log, showing failed authentications, is there anything else to be done?   something I missed?

 

eventlogs.jpg

TimothyM
Conversationalist

So in the access manager session logs, here is the error.  since I only have a test laptop attached to the port I changed the access policy from 'Hybrid Authentication' to '802.1x", below is a screenshot of the logs.  I wish it would give more details, but that is really the meat of the logs.   I wish you could see what its receiving from the endpoint but it does not reveal this data in the logs.

Snag_196fc5a.png

TimothyM
Conversationalist

I have moved on beyond access manager, after hours and hours of trying to get the certificate based authentication to work...it failed.  my support tickets have gone silent and I dont mind testing this new feature but it is broken.  I appreciate everyone from this thread on attempting to help but its not functional.  Its a pipe dream to get 802.1x deployed and although Jaideep Kukunuru gave a great presentation back at cisco live... but its not real.  Its a fake demo without any proof of working properly.  I have exhausted all my resources on tireless testing and completely discouraged with this experience.  Meraki support offered no solution nor would they escalate my issue.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels