Meraki and Cisco ISE

JohanPlukon
Getting noticed

Meraki and Cisco ISE

Somehow few people can give me clarity on this hence this post. What happens to the the clients sitting on a Meraki switch port that are already authenticated, won't be Meraki specifically but after all we are in a Meraki forum, if Cisco ISE is not available?

 

Do all clients sitting on these authenticated ports then lose their connection to the network?

Do they fall back to the guest vlan?

 

11 Replies 11
alemabrahao
Kind of a big deal
Kind of a big deal

RADIUS Monitoring
In addition to the mechanism in RADIUS Testing, if all RADIUS servers are unreachable, clients attempting to authenticate will be put on the Guest or Critical Auth VLAN depending on which is defined.  When the connectivity to the server is regained, the switchport will be cycled to initiate authentication.  Please contact Meraki Support to enable this feature.

This feature must be enabled to track RADIUS server reachability. If not enabled, clients will continue to be put on the Guest or Critical Auth VLANs even after connectivity between the MS and RADIUS server has been restored.

RADIUS test messages are sent every 5 minutes.

 

Full doc: https://documentation.meraki.com/MS/Access_Control/MS_Switch_Access_Policies_(802.1X)

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
JohanPlukon
Getting noticed

So if you want to make sure that clients dont fall back to a guest vlan, when sd-wan/mpls connectivity is lost, you want to setup a cisco ise appliance on each location? That will be a pretty expensive setup right? 

alemabrahao
Kind of a big deal
Kind of a big deal

Exactly, the best thing in the world is that each location has its server node and ISE, but we know that this is not cheap.
 
So it's something that should be taken into account. Today for example we have 4 servers, two on our main site and one on the backup site and of course at least two links from different ISPs in each location.
I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
PhilipDAth
Kind of a big deal
Kind of a big deal

If the SD-WAN is down - is there anything left for the users to access?

 

You could also consider a backup circuit like cellular.

DarrenOC
Kind of a big deal
Kind of a big deal

But @JohanPlukon is talking about ports that have already been authenticated.

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
alemabrahao
Kind of a big deal
Kind of a big deal

It's why radius testing is used. 😉

 

RADIUS test messages are sent every 5 minutes.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
JohanPlukon
Getting noticed

Yes. Ports that are not already authenticates, i can inmagine these will fallback to the guest vlan as they dont have any posibility to do authentication in any way. 

DarrenOC
Kind of a big deal
Kind of a big deal

So with Radius testing enabled ISE will poll every 5 minutes. If a response isn’t received all authenticated ports will be placed into Guest or other fallback mode?

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
JohanPlukon
Getting noticed

Thats what i wanted to know indeed. I do know how to configure all settings and how to make it work.

 

But as we have 30 remote locations where some locations with remote connections that are not always reliable. If already authenticated ports keep their connection its fine, but if radius testing makes these ports re-authenticate afer 5 minutes it will cause problems.  

alemabrahao
Kind of a big deal
Kind of a big deal

RADIUS Monitoring must be enabled to track RADIUS server reachability. If not enabled, clients will continue to be put on the Guest or Critical Auth VLANs even after connectivity between the MS and RADIUS server has been restored.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Inderdeep
Kind of a big deal
Kind of a big deal
Get notified when there are additional replies to this discussion.