Somehow few people can give me clarity on this hence this post. What happens to the the clients sitting on a Meraki switch port that are already authenticated, won't be Meraki specifically but after all we are in a Meraki forum, if Cisco ISE is not available?
Do all clients sitting on these authenticated ports then lose their connection to the network?
Do they fall back to the guest vlan?
RADIUS Monitoring
In addition to the mechanism in RADIUS Testing, if all RADIUS servers are unreachable, clients attempting to authenticate will be put on the Guest or Critical Auth VLAN depending on which is defined. When the connectivity to the server is regained, the switchport will be cycled to initiate authentication. Please contact Meraki Support to enable this feature.
This feature must be enabled to track RADIUS server reachability. If not enabled, clients will continue to be put on the Guest or Critical Auth VLANs even after connectivity between the MS and RADIUS server has been restored.
RADIUS test messages are sent every 5 minutes.
Full doc: https://documentation.meraki.com/MS/Access_Control/MS_Switch_Access_Policies_(802.1X)
So if you want to make sure that clients dont fall back to a guest vlan, when sd-wan/mpls connectivity is lost, you want to setup a cisco ise appliance on each location? That will be a pretty expensive setup right?
If the SD-WAN is down - is there anything left for the users to access?
You could also consider a backup circuit like cellular.
But @JohanPlukon is talking about ports that have already been authenticated.
It's why radius testing is used. 😉
RADIUS test messages are sent every 5 minutes.
Yes. Ports that are not already authenticates, i can inmagine these will fallback to the guest vlan as they dont have any posibility to do authentication in any way.
So with Radius testing enabled ISE will poll every 5 minutes. If a response isn’t received all authenticated ports will be placed into Guest or other fallback mode?
Thats what i wanted to know indeed. I do know how to configure all settings and how to make it work.
But as we have 30 remote locations where some locations with remote connections that are not always reliable. If already authenticated ports keep their connection its fine, but if radius testing makes these ports re-authenticate afer 5 minutes it will cause problems.
RADIUS Monitoring must be enabled to track RADIUS server reachability. If not enabled, clients will continue to be put on the Guest or Critical Auth VLANs even after connectivity between the MS and RADIUS server has been restored.
Some of the articles
Cisco Meraki : Add ISE as a RADIUS Server for Guest SSID - The Network DNA
Add ISE as a RADIUS Server for Wired 802.1X - The Network DNA
Cisco Meraki: Add ISE as a RADIUS Server for Dot1x SSID - The Network DNA