Can you send a response from the radius server that puts the port into port isolation (or not) together with vlan and all other "normal" settings.
I cant find anything about it , so Im guessing no, but someone might know for sure 🙂
Thanks
Thomas
Solved! Go to solution.
@PhilipDAth, you're correct that was the case, but now your can apply the Layer 3 ACLs from a Group Policy to a MS port with 802.1x. You return the name of the Group Policy in the Filter-ID in the RADIUS response. Needs the MS14 firmware though. https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Creating_and_Applying...
I’ve never tried to, but I’ve also never seen anything that says you can. What are you trying to achieve? Can you use Group Policy ACLs to lock the port down?
I was thinking about using GP, and ACL, but I think my "problem" would explode in number of ACL's and GPs.
Hi @thomasthomsen , have I read your request correctly, is this what you are after? Radius and change of authorisation?
We are using CoA for other things in this setup, but it cannot solve my "layer2" port isolation problem.
You can push a Vlan ID to MS.
You can't push any other settings.
@PhilipDAth, you're correct that was the case, but now your can apply the Layer 3 ACLs from a Group Policy to a MS port with 802.1x. You return the name of the Group Policy in the Filter-ID in the RADIUS response. Needs the MS14 firmware though. https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Creating_and_Applying...
Yeah we could push a GP, but on a layer 2 switch would that be "honoured" at the switch ? or would that only be applied on the MX's layer 3 interface ? - We like port isolation because it blocks all the way down between clients on the same vlan.
We could of course have gone SGT's (Adaptive policy or whatever its called in a Meraki setup), but time and money.
And SGT's do not yet extend all the way across MX's and AutoVPN, so just for this small scenario it was kinda overkill, the day it does (extend across MX's and autovpn), it will be a super solution 🙂 .
- So our quick and dirty solution for now was port isolation, but then we "kinda" ran into this problem with some ports (devices) that might not "need" it.
We use dot1x for everything, so it would have been nice if we could have toggeled that port isolation switch using a radius response.
Thanks for all the suggestions and comments.
@thomasthomsen when you use the Group Policy ACL its enforced on the switch, it uses the capability of the MS devices ACL mechanism and dynamically applies the policy in the Group Policy to that port - its just like any other ACL that you apply on the switch. Remember its only the Layer 3 policy in the Group Policy that is applied (and that's because the MS only does ACLs).
EDIT: Should mention, check the models its supported on too - its not supported on all models. Newer models, MS210 and up only (except MS390). So no support on MS220 or MS120 switches.