Dynamic Vlan/Similar option is not working for Wired Clients (MAB/8021x) on Meraki Switches

Sachin
Comes here often

Dynamic Vlan/Similar option is not working for Wired Clients (MAB/8021x) on Meraki Switches

Is it possible to configure a dynamic vlan allocation via Cisco ISE (Radius Server) for wired clients (MAB/8021X) ?  If I configured a SSID on Cisco MR & having an option "RADIUS override", to get the VLAN-ID from my RADIUS-Server. On Cisco Meraki Switches unable to find such any option. Do you guys know if the "RADIUS override" option (or something similar options) is configurable for wired clients on a Meraki MS-Switch?

8 Replies 8
ww
Kind of a big deal
Kind of a big deal
Sachin
Comes here often

Thanks @ww. I have referred this document but it is not working (getting error could find the authentication profile created for wired clients) so please provide any other solution & share some screenshot.

Nash
Kind of a big deal

If you've referred to the document and you're still having problems, I have to ask: Have you consulted Meraki Support?

PhilipDAth
Kind of a big deal
Kind of a big deal

I've done a couple of deployments with wired 802.1x, except I use Microsoft NPS instead of ISE.  In the cases I did I used a Cisco Meraki Access policy to specify the VLANs to use - rather than dynamically assigning them from RADIUS.

https://documentation.meraki.com/MS/Access_Control/MS_Switch_Access_Policies_(802.1X)

 

The documentation says that dynamic VLAN assignment is supported though.  Make sure you are passing all theee required parameters from ISE back to the switch (Tunnel-Medium-Type, Tunnel-Pvt-Group-ID and Tunnel-Type).

https://documentation.meraki.com/MS/Port_and_VLAN_Configuration/Dynamic_VLAN_assignment_via_802.1X_(...

 

 

CptnCrnch
Kind of a big deal
Kind of a big deal


@PhilipDAth wrote:

The documentation says that dynamic VLAN assignment is supported though.  Make sure you are passing all theee required parameters from ISE back to the switch (Tunnel-Medium-Type, Tunnel-Pvt-Group-ID and Tunnel-Type).

https://documentation.meraki.com/MS/Port_and_VLAN_Configuration/Dynamic_VLAN_assignment_via_802.1X_(...

 

 


That‘s a thing ISE does by default when returning a user defined VLAN

Sachin
Comes here often

Still Dynamic Vlan assignment feature is not working with Cisco Meraki MS. Even I have configured the authorization profile & followed the instruction as received by PhilipDAth & applied it on Authorization policy. If I selected the default authorization profile "Permit Access" in authorization policy then it works. Means something is wrong with Authorization profile which is not working with Cisco Meraki MS. Please suggest if someone have any other solution for Dynamic Vlan assignment.

 

Error on Cisco ISE:

 

15011Authorization Policy not configured
15019Could not find selected Authorization Profiles

 

Event5400 Authentication failed
Failure Reason15019 Could not find selected Authorization Profiles
Root causeCould not find selected Authorization Profiles

 

CptnCrnch
Kind of a big deal
Kind of a big deal

Looks like ISE is not hitting the AuthZ / authorization policy as expected. Therefore it isn‘t able to return the profile. Nothing wrong on the Meraki side of things.

Attaar
Comes here often

Do you have the instructions to implement wired 802.1x with dynamic VLANs ? Appreciate your help 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels