Meraki

netgn · ‎Mar 28 2022

Has anyone had any luck using dot1x authentication on the Teleworker Z firewalls? We have remote teleworkers and we want to authenticate their device before its allowed onto the network which has our autovpn enabled to our hub sites. We turned it on but during testing after attempting to logon to the windows machine it just hangs.

Our Radius server is reachable from the Teleworker as we've confirmed ping from source vlan the packet would come from.

Outside of making sure RADIUS is reachable and setup, is there anything you would need to do on the local PC to make this work properly? RADIUS works for our internal wireless just fine so we know RADIUS is working.

Should the user get a splash page for login? Or should the authentication happen during the users attempt at trying to login to their windows machine?

ww · ‎Mar 28 2022

Are you using the highest vlan ip thats in the vpn? https://documentation.meraki.com/MX/Other_Topics/MX_and_Z1_Source_IP_for_RADIUS_Authentication

Did you check the logging on the radius server about this connection?

PhilipDAth · ‎Mar 28 2022

I've done it on Z3. Using WPA2-Enterprise mode for WiFi and wired 802.1x for the Ethernet ports. Worked fine.

Make sure the local LAN of the Z3 is included in AutoVPN, as that is what the RADIUS message will be sent from. Otherwise, the request gets NATed to some magic public IPs, which won't work in a split VPN configuration. You can do a packet capture at the RADIUS server to verify what is being received.

Meraki

Community

Teleworker Z Firewall interface dot1x

Teleworker Z Firewall interface dot1x