dot1x and Port Isolation

Solved
thomasthomsen
Kind of a big deal

dot1x and Port Isolation

Can you send a response from the radius server that puts the port into port isolation (or not) together with vlan and all other "normal" settings.

I cant find anything about it , so Im guessing no, but someone might know for sure 🙂

 

Thanks

Thomas

1 Accepted Solution
Bruce
Kind of a big deal

@PhilipDAth, you're correct that was the case, but now your can apply the Layer 3 ACLs from a Group Policy to a MS port with 802.1x. You return the name of the Group Policy in the Filter-ID in the RADIUS response. Needs the MS14 firmware though.  https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Creating_and_Applying...

View solution in original post

9 Replies 9
Bruce
Kind of a big deal

I’ve never tried to, but I’ve also never seen anything that says you can. What are you trying to achieve? Can you use Group Policy ACLs to lock the port down?

thomasthomsen
Kind of a big deal

I was thinking about using GP, and ACL, but I think my "problem" would explode in number of ACL's and GPs.

 

DarrenOC
Kind of a big deal
Kind of a big deal

Hi @thomasthomsen , have I read your request correctly, is this what you are after?  Radius and change of authorisation?

 

https://documentation.meraki.com/MS/Access_Control/Change_of_Authorization_with_RADIUS_(CoA)_on_MS_S...

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
thomasthomsen
Kind of a big deal

We are using CoA for other things in this setup, but it cannot solve my "layer2" port isolation problem.

PhilipDAth
Kind of a big deal
Kind of a big deal

You can push a Vlan ID to MS.

 

You can't push any other settings.

Bruce
Kind of a big deal

@PhilipDAth, you're correct that was the case, but now your can apply the Layer 3 ACLs from a Group Policy to a MS port with 802.1x. You return the name of the Group Policy in the Filter-ID in the RADIUS response. Needs the MS14 firmware though.  https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Creating_and_Applying...

thomasthomsen
Kind of a big deal

Yeah we could push a GP, but on a layer 2 switch would that be "honoured" at the switch ? or would that only be applied on the MX's layer 3 interface ? - We like port isolation because it blocks all the way down between clients on the same vlan.

 

We could of course have gone SGT's (Adaptive policy or whatever its called in a Meraki setup), but time and money.

And SGT's do not yet extend all the way across MX's and AutoVPN, so just for this small scenario it was kinda overkill, the day it does (extend across MX's and autovpn), it will be a super solution 🙂 .

- So our quick and dirty solution for now was port isolation, but then we "kinda" ran into this problem with some ports (devices) that might not "need" it.

We use dot1x for everything, so it would have been nice if we could have toggeled that port isolation switch using a radius response.

 

Thanks for all the suggestions and comments.

Bruce
Kind of a big deal

@thomasthomsen when you use the Group Policy ACL its enforced on the switch, it uses the capability of the MS devices ACL mechanism and dynamically applies the policy in the Group Policy to that port - its just like any other ACL that you apply on the switch. Remember its only the Layer 3 policy in the Group Policy that is applied (and that's because the MS only does ACLs).

 

EDIT: Should mention, check the models its supported on too - its not supported on all models. Newer models, MS210 and up only (except MS390). So no support on MS220 or MS120 switches.

PhilipDAth
Kind of a big deal
Kind of a big deal

Thanks for the info @Bruce .  That is a good feature additional to MS14.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels