We are implementing dot1x authentication with Cisco ISE and MS120, MR33 and MR46. Every thing works fine but we can't implement Fail Open.
Our goal is that when Meraki switch or AP lose connection with Cisco ISE, like Cisco classic switches, use Fail Open function and permit all clients to the internal vlan (don't authenticate and permit every client) until the connection with ISE comes back again.
Now, when the switch or AP can't reach the ISE If I have a guest vlan configured, they redirect the users to the guest vlan. But if I don't configure the guest vlan, they don't authenticate new users and block the access to the network.
Unfortunately I can't find any information about this in Meraki documentation. Is Fail Open function available in Meraki?
I am interrested also for this feature on meraki switches as we have switches on remote locations using central ISE for 802.1x (connected via meraki VPN to HQ where ISE are located), via EAP-TLS auth (so meraki radius is not an option ...)
If vpn is down to HQ, no ISE are available, i would like to have a fail open scenario = allow access without auth, when ISE radius are not available from Switches
Guest vlan is not an option as when 802.1x auth is rejected, user goes to guest vlan ... this guest vlan cannot be the corporate vlan ...
anyone from Meraki to let us know if this is in roadmap ?
I hate to say this, but I put this in as a "wish" about 4 years ago. I still want this option and that's what it should be - an option. In the 802.1x policy there should be a drop down or radio buttons or something that lets the network admin pick what they want to happen if the ISE server is offline.