Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

IP Address for Switch Stack and Authentication

KRobert
Head in the Cloud
‎Mar 10 2022 8:07 AM
‎Mar 10 2022 8:07 AM

IP Address for Switch Stack and Authentication

We are migrating away from a Catalyst 2960x switch stack to a Meraki MS210 switch stack. In the 2960x switch stack, we utilized a VLAN interface that acted as the IP address for the entire stack. This way when it came to RADIUS 802.1x authentication, we only had to approve the single VLAN IP address rather than an individual IP address for each switch. I'd like to achieve the same thing with Meraki stack if this is possible. Each switch will be given an IP address for management purposes, but is there a way to funnel all RADIUS authentication traffic through a Layer 3 Interface so that when a client connects and authenticates with 802.1x, the RADIUS server sees the supplicant as the Layer 3 Interface IP address rather than the switch IP address itself? 

 

CMNO, CCNA R+S
0 Kudos
Subscribe
10 Replies 10
Ryan_Miles
Meraki Employee
Meraki Employee
‎Mar 10 2022 8:32 AM
‎Mar 10 2022 8:32 AM

The source int for RADIUS would be the switches mgmt IP (each switch in a stack). You can optionally use a different mgmt IP. But you cannot configure it to come from a L3 interface of the switch.

0 Kudos
Subscribe
In response to Ryan_Miles
KRobert
Head in the Cloud
‎Mar 10 2022 9:04 AM
‎Mar 10 2022 9:04 AM

Thanks @Ryan_Miles . Once enabled, can I assign the same ALT MGMT IP address to multiple switches of the stack?

CMNO, CCNA R+S
0 Kudos
Subscribe
In response to KRobert
Ryan_Miles
Meraki Employee
Meraki Employee
‎Mar 10 2022 9:22 AM
‎Mar 10 2022 9:22 AM

Alt mgmt IP just like the regular mgmt IP is a per switch thing. In Meraki stacking mgmt IPs always need to be present per switch.

0 Kudos
Subscribe
In response to Ryan_Miles
KRobert
Head in the Cloud
‎Mar 10 2022 9:27 AM
‎Mar 10 2022 9:27 AM

So in short, there is no way to represent the entire stack as 1 IP address. Specifically for RADIUS Authentication 

CMNO, CCNA R+S
0 Kudos
Subscribe
In response to KRobert
Ryan_Miles
Meraki Employee
Meraki Employee
‎Mar 10 2022 9:28 AM
‎Mar 10 2022 9:28 AM

Correct

0 Kudos
Subscribe
ww
Kind of a big deal
Kind of a big deal
‎Mar 10 2022 9:33 AM
‎Mar 10 2022 9:33 AM

With meraki its best to use a management subnet for switch and ap. And add that subnet to the radius.

0 Kudos
Subscribe
In response to ww
KRobert
Head in the Cloud
‎Mar 10 2022 10:44 AM
‎Mar 10 2022 10:44 AM

@ww you are saying have your switch/aps assigned a MGMT network VLAN (assign the switch IP on that network) and add that to the RADIUS server for authentication, but have the endpoints on a separate data VLAN network?

CMNO, CCNA R+S
0 Kudos
Subscribe
In response to KRobert
ww
Kind of a big deal
Kind of a big deal
‎Mar 10 2022 11:34 AM
‎Mar 10 2022 11:34 AM

Yes a separate management vlan. Then you can add that vlan/subnet to the radius server so you dont have to add individual ip's.

Data Clients ,servers, voip phones etc. are on other vlans.  

0 Kudos
Subscribe
In response to ww
KRobert
Head in the Cloud
‎Mar 10 2022 11:40 AM
‎Mar 10 2022 11:40 AM

Thanks. why is that "best" for Meraki products compared to others?

CMNO, CCNA R+S
0 Kudos
Subscribe
In response to KRobert
ww
Kind of a big deal
Kind of a big deal
‎Mar 10 2022 11:52 AM
‎Mar 10 2022 11:52 AM

Wel a separate management subnet is always good so you can restrict traffic to that vlan more easy.  But for cisco you always used a wlc and the wlc ip did authentication. And for switches like you said you just used one for a stack.  Now at meraki every ap and switch has its own management  ip where  authentication  requests  are sourced from.  You dont want to add every single of that ip to the radius server.

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.