Meraki

Community

Meraki and Cisco ISE

JohanPlukon
Getting noticed
‎Jul 31 2023 11:22 AM
‎Jul 31 2023 11:22 AM

Meraki and Cisco ISE

Somehow few people can give me clarity on this hence this post. What happens to the the clients sitting on a Meraki switch port that are already authenticated, won't be Meraki specifically but after all we are in a Meraki forum, if Cisco ISE is not available?

 

Do all clients sitting on these authenticated ports then lose their connection to the network?

Do they fall back to the guest vlan?

 

0 Kudos
11 Replies 11
alemabrahao
Kind of a big deal
‎Jul 31 2023 11:31 AM
‎Jul 31 2023 11:31 AM

RADIUS Monitoring
In addition to the mechanism in RADIUS Testing, if all RADIUS servers are unreachable, clients attempting to authenticate will be put on the Guest or Critical Auth VLAN depending on which is defined.  When the connectivity to the server is regained, the switchport will be cycled to initiate authentication.  Please contact Meraki Support to enable this feature.

This feature must be enabled to track RADIUS server reachability. If not enabled, clients will continue to be put on the Guest or Critical Auth VLANs even after connectivity between the MS and RADIUS server has been restored.

RADIUS test messages are sent every 5 minutes.

 

Full doc: https://documentation.meraki.com/MS/Access_Control/MS_Switch_Access_Policies_(802.1X)

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
JohanPlukon
Getting noticed
‎Jul 31 2023 11:37 AM
‎Jul 31 2023 11:37 AM

So if you want to make sure that clients dont fall back to a guest vlan, when sd-wan/mpls connectivity is lost, you want to setup a cisco ise appliance on each location? That will be a pretty expensive setup right? 

0 Kudos
In response to JohanPlukon
alemabrahao
Kind of a big deal
‎Jul 31 2023 11:42 AM
‎Jul 31 2023 11:42 AM

Exactly, the best thing in the world is that each location has its server node and ISE, but we know that this is not cheap.
 
So it's something that should be taken into account. Today for example we have 4 servers, two on our main site and one on the backup site and of course at least two links from different ISPs in each location.
I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to JohanPlukon
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jul 31 2023 12:54 PM
‎Jul 31 2023 12:54 PM

If the SD-WAN is down - is there anything left for the users to access?

 

You could also consider a backup circuit like cellular.

0 Kudos
DarrenOC
Kind of a big deal
Kind of a big deal
‎Jul 31 2023 11:36 AM
‎Jul 31 2023 11:36 AM

But @JohanPlukon is talking about ports that have already been authenticated.

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
0 Kudos
In response to DarrenOC
alemabrahao
Kind of a big deal
‎Jul 31 2023 11:38 AM
‎Jul 31 2023 11:38 AM

It's why radius testing is used. 😉

 

RADIUS test messages are sent every 5 minutes.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to DarrenOC
JohanPlukon
Getting noticed
‎Jul 31 2023 11:39 AM
‎Jul 31 2023 11:39 AM

Yes. Ports that are not already authenticates, i can inmagine these will fallback to the guest vlan as they dont have any posibility to do authentication in any way. 

0 Kudos
DarrenOC
Kind of a big deal
Kind of a big deal
‎Jul 31 2023 11:41 AM
‎Jul 31 2023 11:41 AM

So with Radius testing enabled ISE will poll every 5 minutes. If a response isn’t received all authenticated ports will be placed into Guest or other fallback mode?

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
0 Kudos
In response to DarrenOC
JohanPlukon
Getting noticed
‎Jul 31 2023 12:09 PM
‎Jul 31 2023 12:09 PM

Thats what i wanted to know indeed. I do know how to configure all settings and how to make it work.

 

But as we have 30 remote locations where some locations with remote connections that are not always reliable. If already authenticated ports keep their connection its fine, but if radius testing makes these ports re-authenticate afer 5 minutes it will cause problems.  

0 Kudos
In response to JohanPlukon
alemabrahao
Kind of a big deal
‎Jul 31 2023 12:22 PM
‎Jul 31 2023 12:22 PM

RADIUS Monitoring must be enabled to track RADIUS server reachability. If not enabled, clients will continue to be put on the Guest or Critical Auth VLANs even after connectivity between the MS and RADIUS server has been restored.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Inderdeep
Kind of a big deal
‎Jul 31 2023 11:50 AM
‎Jul 31 2023 11:50 AM

Some of the articles 

Cisco Meraki : Add ISE as a RADIUS Server for Guest SSID - The Network DNA

Add ISE as a RADIUS Server for Wired 802.1X - The Network DNA

Cisco Meraki: Add ISE as a RADIUS Server for Dot1x SSID - The Network DNA

Cisco Awarded Blogs 2020/2021 https://www.thenetworkdna.com/
0 Kudos
li.common.scroll-to.top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.