Good morning all,
I have been working on this for a few days and I just cant figure it out. I am hoping someone on here might be able to point me in the right direction before I put a ticket in. I will try and lay this out as completely as possible.
I am testing Meraki and 802.1x in a lab environment. As of right now I have a MS120-24P Meraki Switch connected to a Cisco 887A Router and the switch is pointed at a Radius server. Now I have successfully created an access policy for 802.1x and successfully tested it on the switch and an MR42 Meraki AP. I am now trying to test out other devices that we have in our branch offices like printers. At the moment I have a Lexmark MS410DN printer connected directly to the switch. When the port is "open" (access port) I can see the printer, it is in the appropriate vlan and we can print from it. However, my problem is when I apply the access policy to the port then the printer is placed in vlan 10 (guest network) and we can no longer see it. For some reason it is not communicating with the radius server. In radius I have added it as a client by both MAC address and static IP, in AD there is a group that has the MAC address of the printer. I have included one of our systems guys to walk through the radius 802.1x config wizard with me and no matter what we do we can get the printer to go from vlan 10 to vlan 1 and be visible on the network by being authenticated with radius. If anyone has encountered this problem please let me know what you did to fix it. Much appreciated.
Solved! Go to Solution.
I created a 2nd access policy this one being a Hybrid and placed it on the port with the printer. It was still rejected by Radius.
Ok so in the event log for the dashboard it just says Radius authentication rejected
On my Radius server I am getting event 6273 reason code 65 so I am investigating that at the moment. There is some small detail that I am over looking.
It could be something as stupid as the format of the MAC being sent. xx:xx:xx:xx:xx:xx instead of xxxx.xxxx.xxxx for example. I'm not familiar with that RADIUS error so that's just speculation.
tell me about it!
It looks like it could be the dial-in properties in the AD user account so we are checking this to see if it is set to deny or allow. I'll let you know if that produces any results.
FYI, when I do wired 802.1x I make sure the client gets printers with native 802.1x support, so they log in like everything else. It makes life much easier.
So I was working on this problem this morning and created a third access policy...Mac Address Bypass but also I found in my radius server that under client IPv4 address I had put in the IP of my printer instead of my switch. Now it all works as it should. Thank you all for your ideas and help...this problem is solved!!!