Meraki

Community

MS Switch Is Unable to Relay 802.1x to Cisco ISE

Solved
fatanu
Here to help
yesterday
yesterday

MS Switch Is Unable to Relay 802.1x to Cisco ISE

Issue:

We have an endpoint with a PEAP Ethernet profile connected to port 5 on a Meraki switch. We have also configured the 802.1X access policy on the Meraki switch and applied it to port 5.

When testing the RADIUS server from the switch, it successfully reaches the ISE, and logs are visible in ISE.

The endpoint is sending EAPOL Start and EAPOL packets to the switch, but the switch is not relaying the RADIUS packets to ISE.

 

Additional Context:

At first I thought it was the windows supplicant issue (as I have read some people had issue with Windows 11). I configured dot1x on a cisco catalyst switch, and I connected the same system to it. It immediately got connected and i can see the log in ISE. Then I ruled out windows as the issue, and norrowed it down to Meraki switch issue. I did packet capture on the port on the meraki switch the system is connected and I can see the endpoint is starting EAPOL and sending EAP packet, the switch is not just relaying it to ISE.

 

I am having this issue with Meraki MS210 switch and as well as MS 225 switch. Raidus test from the switch to the ISE is visible from ISE logs but I am not see any logs for devices connected to ports that the access policy is applied to. Also, MAB is working on the port, but 802.1x is not working. Is there anything I am missing? This is driving me crazy. Please help out, this is a cry for help!!!

 

image (10).pngimage (11).png

0 Kudos
1 Accepted Solution
fatanu
Here to help
yesterday
yesterday

Thank you everyone that responded to me and offered help. It was a bug in the firmware. I raised a case with Cisco support and got on a troubleshooting call with them. We rolled back the firmware from 17.1.4 to 16.9 and tested it, everything works fine and now the switch is relaying the radius request to the Radius server. The case has now been submitted to their development team and they can reproduce the scenario to test. For now, I will continue to use 16.9 which is working. Thanks everyone!

View solution in original post

30 Replies 30
Mloraditch
Head in the Cloud
yesterday
yesterday

I'm not sure if you have two accounts or a coworker but my reply here is a likely issue: https://community.meraki.com/t5/Switching/My-Switch-MS225-is-not-relying-the-EAP-radius-requests-to-...

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
fatanu
Here to help
yesterday
yesterday

oh...its a colleague...we decided to post it differently, we have been stuck on this issue for days....thanks for the quick response

0 Kudos
fatanu
Here to help
yesterday
yesterday

That did not fix the issue....I still can't see log in ISE

0 Kudos
In response to fatanu
Mloraditch
Head in the Cloud
yesterday
yesterday

Try temporarily setting your policy to something other than multi domain and then 802.1x only to see if it works then. If it doesn't you might have an issue like @PhilipDAth mentioned. If it doesn't you might have an issue support needs to look at.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
alemabrahao
Kind of a big deal
yesterday
yesterday

You can review the required settings here:

 

https://community.cisco.com/t5/security-knowledge-base/how-to-integrate-meraki-networks-with-ise/ta-...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
yesterday
yesterday

Are you doing certificate authentication?  If so, the packets might be bigger than the MTU and getting dropped.  If so, try adding Framed-MTU to ISE with a smaller value (e,g. 1300).

0 Kudos
fatanu
Here to help
yesterday
yesterday

No, I'm using PEAP with MSCHAPv2. It only showing attempting to authenticate without prompting to login. All I just need is a log in ISE, then I can say the switch is relaying the connection authentication attempt to ISE. But, ISE is not seeing anything, and when you do radius test from the switch to ISE, I can see the log. The two switches show it supports 802.1x so I'm wondering what the issue are. MAB is working, just 802.1x is what I am having issue with. Its weird two different switches MS210 and MS225 are having the same issue. 

0 Kudos
In response to fatanu
PhilipDAth
Kind of a big deal
Kind of a big deal
yesterday
yesterday

It may simply be that your client is not attempting 802.1x.

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
yesterday
yesterday

If this is for Windows machines, have you enabled the "Wired AutoConfig" service?

0 Kudos
fatanu
Here to help
yesterday
yesterday

@PhilipDAth Yes, wired autoconfig is enabled. WHen this client is connected to another cisco switch (catalyst) not meraki, it is able to authenticate and connected. So, that ruled out that the issue is from the client. It is a Meraki issue. We have tried different options, single host, mult-domain, multi-auth etc....same issue.

0 Kudos
In response to fatanu
Mloraditch
Head in the Cloud
yesterday
yesterday

Have you tried those modes with 802.1x only instead of Hybrid? If that works and switching back to hybrid doesn't I'd be calling support and if it doesn't work at all in that mode I'd also be calling support. With your various tests with your Catalyst switches you have plenty of proof it should work and is down to something the Meraki isn't doing properly.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to fatanu
PhilipDAth
Kind of a big deal
Kind of a big deal
yesterday
yesterday

Does anything appear in the Meraki event switch log?

0 Kudos
In response to PhilipDAth
fatanu
Here to help
yesterday
yesterday

only message like "802.1x Canned EAP Success" ...something like that. 

 

fatanu
Here to help
yesterday
yesterday

I'm curious whether anyone has successfully gotten wired 802.1x to work on Meraki switches. Everything is working find with the wireless so far, but no single success yet for wired 802.1x. We are not doing anything with certificate , so EAP TLS is out of the picture. But we tried PEAP and TEAP no luck

0 Kudos
In response to fatanu
PhilipDAth
Kind of a big deal
Kind of a big deal
yesterday
yesterday

I have done lots of wired 802.1x deployments using Meraki switches.  No issue.

 

All my deployments use Microsoft NPS.  I don't do MAB (no hybrid).  They all do certificate authentication (EAP-TLS).

0 Kudos
In response to fatanu
Mloraditch
Head in the Cloud
yesterday
yesterday

We have 5 or so larger (to me) installs, although we use EAP-TLS with ISE. We do use Hybrid. All working fine.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
fatanu
Here to help
yesterday
yesterday

Maybe Meraki switches does not support PEAP..because ours is PEAP MSCHAPv2, and I have tried with two different switch model, MS210 and MS225...same result. ISE is not getting log at all. Do you mind sharing your access policy config to see what we are doing differently. this is a real big issue and blocker to moving past this POC, so it's giving me sleepless night. what meraki switches have you configured it with? 

0 Kudos
In response to fatanu
Mloraditch
Head in the Cloud
yesterday
yesterday

If you are having sleepless nights I really urge you to get on the phone with support. We are all trying to help you, but they can actually see your network and access backend data that we cannot. I can tell you my primary access policy looks just like yours.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
In response to fatanu
PhilipDAth
Kind of a big deal
Kind of a big deal
yesterday
yesterday

>Maybe Meraki switches does not support PEAP

 

Meraki has no knowledge of the internal authentication protocol in use.  That is between the switch and the RADIUS server.

0 Kudos
In response to PhilipDAth
fatanu
Here to help
yesterday
yesterday

I said this because, Meraki is not even relaying the packet to ISE. It's just a weird issue, because there are no so many things to fill in the access policy page that I might have missed something. 

0 Kudos
In response to fatanu
PhilipDAth
Kind of a big deal
Kind of a big deal
yesterday
yesterday

My deployments have mostly been on MS120s and MS225s.

0 Kudos
In response to fatanu
PhilipDAth
Kind of a big deal
Kind of a big deal
yesterday
yesterday

Have you considered contracting in a Cisco partner to help you with this?  It might be quite quick for them to fix ...

0 Kudos
In response to PhilipDAth
fatanu
Here to help
yesterday
yesterday

Not yet, still exploring if anyone had experienced the issue, that is why I posted it here for solution.

0 Kudos
ww
Kind of a big deal
Kind of a big deal
yesterday
yesterday

Did you also make a packet capture on the same switch (uplink) port where the packet should leave to verify  there is no radius traffic send to the server

0 Kudos
In response to ww
fatanu
Here to help
yesterday
yesterday

I just did two packet captures use cases on the uplink:

1) When the endpoint connected to the port with 802.1x policy is attempting authentication. The packet capture shows it is not sending any radius access-request out the uplink. This confirms why the ISE is not showing any log.

2) When i did radius connectivity test on the policy from the switch to ISE. I can see radius access-request packet going out of the uplink. This confirms why I am getting logs in ISE. 

 

So ultimately it's a switch problem. I have done exact access policy configuration from their documentation, so I am not sure what else to do again. If anyone can share a working access policy config, I will appreciate it. Thanks!

In response to fatanu
Mloraditch
Head in the Cloud
yesterday
yesterday

Please contact support. I realize this is frustrating but your policies look right. They usually answer within moments. You don't have to wait for an engineer like regular TAC.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
RaphaelL
Kind of a big deal
Kind of a big deal
yesterday
yesterday

Also "increase access speed" is never a good idea. 

0 Kudos
In response to RaphaelL
fatanu
Here to help
yesterday
yesterday

Yes...I removed it.

0 Kudos
fatanu
Here to help
yesterday
yesterday

Thank you everyone that responded to me and offered help. It was a bug in the firmware. I raised a case with Cisco support and got on a troubleshooting call with them. We rolled back the firmware from 17.1.4 to 16.9 and tested it, everything works fine and now the switch is relaying the radius request to the Radius server. The case has now been submitted to their development team and they can reproduce the scenario to test. For now, I will continue to use 16.9 which is working. Thanks everyone!

In response to fatanu
CarolineS
Community Manager
Community Manager
yesterday
yesterday

Thank you for the follow-up, @fatanu ! I'm going to mark your reply as the "solution" for the benefit of folks who visit this thread in the future.

 

Cheers!

Caroline S | Community Manager, Cisco Meraki
New to the community? Get started here
0 Kudos
Back to the top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.