IP Address for Switch Stack and Authentication

KRobert
Head in the Cloud

IP Address for Switch Stack and Authentication

We are migrating away from a Catalyst 2960x switch stack to a Meraki MS210 switch stack. In the 2960x switch stack, we utilized a VLAN interface that acted as the IP address for the entire stack. This way when it came to RADIUS 802.1x authentication, we only had to approve the single VLAN IP address rather than an individual IP address for each switch. I'd like to achieve the same thing with Meraki stack if this is possible. Each switch will be given an IP address for management purposes, but is there a way to funnel all RADIUS authentication traffic through a Layer 3 Interface so that when a client connects and authenticates with 802.1x, the RADIUS server sees the supplicant as the Layer 3 Interface IP address rather than the switch IP address itself? 

 

CMNO, CCNA R+S
10 Replies 10
Ryan_Miles
Meraki Employee
Meraki Employee

The source int for RADIUS would be the switches mgmt IP (each switch in a stack). You can optionally use a different mgmt IP. But you cannot configure it to come from a L3 interface of the switch.

Ryan

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
KRobert
Head in the Cloud

Thanks @Ryan_Miles . Once enabled, can I assign the same ALT MGMT IP address to multiple switches of the stack?

CMNO, CCNA R+S
Ryan_Miles
Meraki Employee
Meraki Employee

Alt mgmt IP just like the regular mgmt IP is a per switch thing. In Meraki stacking mgmt IPs always need to be present per switch.

Ryan

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
KRobert
Head in the Cloud

So in short, there is no way to represent the entire stack as 1 IP address. Specifically for RADIUS Authentication 

CMNO, CCNA R+S
Ryan_Miles
Meraki Employee
Meraki Employee

Correct

Ryan

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
ww
Kind of a big deal
Kind of a big deal

With meraki its best to use a management subnet for switch and ap. And add that subnet to the radius.

KRobert
Head in the Cloud

@ww you are saying have your switch/aps assigned a MGMT network VLAN (assign the switch IP on that network) and add that to the RADIUS server for authentication, but have the endpoints on a separate data VLAN network?

CMNO, CCNA R+S
ww
Kind of a big deal
Kind of a big deal

Yes a separate management vlan. Then you can add that vlan/subnet to the radius server so you dont have to add individual ip's.

Data Clients ,servers, voip phones etc. are on other vlans.  

KRobert
Head in the Cloud

Thanks. why is that "best" for Meraki products compared to others?

CMNO, CCNA R+S
ww
Kind of a big deal
Kind of a big deal

Wel a separate management subnet is always good so you can restrict traffic to that vlan more easy.  But for cisco you always used a wlc and the wlc ip did authentication. And for switches like you said you just used one for a stack.  Now at meraki every ap and switch has its own management  ip where  authentication  requests  are sourced from.  You dont want to add every single of that ip to the radius server.

Get notified when there are additional replies to this discussion.