Meraki

danxr · ‎Aug 27 2024

I have a wireless client (Windows native supplicant) connecting to a dot1x SSID on a Meraki MR AP. The MR is wired to the MX, and on the MX interface connected to the AP, there is a hybrid access policy. We also run ISE as the radius servers. The intent is to have the MR APs connect with mab auth (ISE has an already populated identity group with the AP MAC addresses), and any other wired or wireless device to use dot1x to authenticate.

Everything works fine, but we have come to notice that when wireless clients connect to the SSID, we see both the dot1x and mab authentication. We don't plan on keeping or building out a mac identity group in ISE for wireless client MACs. Is there a way to disable mab on the Meraki for these clients, but keep mab enabled for the AP? Is there a way to truly lockdown the MAB authentication/authorization policy in ISE in this setup?

Anyone else encounter something like this?

RaphaelL · ‎Aug 27 2024

Hi ,

So you are saying that the MX is trying to auth every single client behind the MR ?

I don't think you can solve that issue tbh...

If the port was configured in a trunk it wouldn't do that but you would lose the 802.1X auth of your AP since you can't have .1X on a trunk port.

danxr · ‎Aug 27 2024

Yes, it would appear so (based on meraki event logs). Does the issue have to do with multiple host auth on Merakis?

Is there an effective way to apply NAC to the MX interfaces with an MR connected to it?

PhilipDAth · ‎Aug 27 2024

I don't think so. I think the closest you could manage would be SecurePort between an MR and an MS (not an MX).

https://documentation.meraki.com/MS/Access_Control/SecurePort_(formerly_known_as_SecureConnect)

Meraki

Community

MR behind a MX with dot1x/mab and ISE for radius. Wireless clients show up as mab.

MR behind a MX with dot1x/mab and ISE for radius. Wireless clients show up as mab.