Meraki

PhillipJFry · ‎May 11 2023

We are trying to setup an 8021x MAB policy for our phones. The phones are avaya phones. The windows RADIUS server's network policy constraints are configured for ethernet and must be a member of a security group. Also, I have set vendor specific Cisco AV Pair device-traffic-class=voice attribute in the policy. We have created an AD user account with the MAC as the username/password. Logs show MAB auth response is accept, but the shows eap failure Identity anonymous. Then the phone gets put on the failed auth guest vlan we setup, but cant ping the device. Any recommendations or advice for me to look at?

PhillipJFry · ‎May 30 2023

Wanted to inform everyone that we finally got the issue resolved. The issue was because both mab devices, one being the phone, and the other being a pc, were both utilizing the same network access policy on the NPS server. The network policy was passing the AV-Pair attribute for voice to both devices, causing a conflict. Once I create a separate network policy for each device, the pc and phone both are authenticating like they should.

View solution in original post

alemabrahao · ‎May 11 2023

I suggest you review the documentation.

https://documentation.meraki.com/MS/Access_Control/Configuring_Microsoft_NPS_for_MAC-Based_RADIUS_-_...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

PhillipJFry · ‎May 11 2023

I can get the single phone client to work if I use single host mode, but we are trying to do the "multi-domain" mode since we have PCs hind the phone.

JacekJ · ‎May 16 2023

How does the port setting look like?

We set up the multi-domain with VoIP around 2-3 years ago so I might be wrong, but I think you need to provide the vlan and voice vlan on the port despite of the policy "telling" the switch what to do.

The vlan we set up to something that we simply don't use anywhere.

PhillipJFry · ‎May 25 2023

See the below image for port configuration. I still have an open ticket with TAC on this. Making some progress, but no solution yet.

JanDeuss · ‎May 25 2023

Hello,

we have the same Problem. If i set vlan and voice vlan on the same setting my configuration works fine.

Then i set vlan to 1 the setting does not work. The Meraki switch does not use the cisco-av.pair setting from the Windows Network policy server.

The Port is beeing autheticated correctly but from the av pair setting is nothing in the log.

May 17 12:42:04	NLT-1		00:1a:e8:64:c2:ca	RADIUS	MAB authentication	resp: accept
May 17 12:42:04	NLT-1	Port 21	00:1a:e8:64:c2:ca	802.1X	RADIUS response	port: 21, rtt: 0.000 ms
May 17 12:42:04	NLT-1	Port 21	00:1a:e8:64:c2:ca	802.1X	802.1X deauthentication	port: 21
May 17 12:42:03	NLT-1	Port 21		Spanning Tree	Port RSTP role change	Port 21 disabled→designated
May 17 12:42:03	NLT-1	Port 21		Switch port	Port status change	port: 21, old: down, new: 1Gfdx

PhillipJFry · ‎May 25 2023

Your logs and setup look very similar to ours. So far it seem like the issue is because both devices are MAB auth. devices. They are are hitting the same network policy on the radius server. I still have an open ticket with TAC on this, hopefully we have some answers soon.

PhillipJFry · ‎May 30 2023

Wanted to inform everyone that we finally got the issue resolved. The issue was because both mab devices, one being the phone, and the other being a pc, were both utilizing the same network access policy on the NPS server. The network policy was passing the AV-Pair attribute for voice to both devices, causing a conflict. Once I create a separate network policy for each device, the pc and phone both are authenticating like they should.

JoelFMC

Hi PhillipJFry,

Similar to your situation, we also use dual MAB authentication. The device intended for the data VLAN is taking over the voice VLAN, which prevents both devices from connecting to the network, according to Meraki support isolation. Could you please provide more details on the precise solution you have used? You stated that you implemented a "separate network policy" for this type of configuration. Specifically, where did you implement the network policy?

JanDeuss

Hello Joel,

We've implemented the identical structure. We use the Microsoft NPS server as the Radius server. We've created several policies there, which the server processes from top to bottom. As you can see, the Meraki VoIP policy comes first. It also includes the attribute for the switch, indicating that it's a VoIP device. I'm attaching a few screenshots for you.

We use MAB for the VoIP phones and EAP TLS for the domain computers. Users are then authenticated via EAP TLS based on their domain user certificate. For this purpose, we've created groups in our AD to determine which user belongs to which VLAN. We query these groups under the conditions in the NPS server.

It's also important not to check the "Fast Authentication" box in the Meraki dashboard; this causes massive problems for us.

I hope this is now a little clearer for you.