MR behind a MX with dot1x/mab and ISE for radius. Wireless clients show up as mab.

danxr
Comes here often

MR behind a MX with dot1x/mab and ISE for radius. Wireless clients show up as mab.

I have a wireless client (Windows native supplicant) connecting to a dot1x SSID on a Meraki MR AP. The MR is wired to the MX, and on the MX interface connected to the AP, there is a hybrid access policy. We also run ISE as the radius servers. The intent is to have the MR APs connect with mab auth (ISE has an already populated identity group with the AP MAC addresses), and any other wired or wireless device to use dot1x to authenticate.

Everything works fine, but we have come to notice that when wireless clients connect to the SSID, we see both the dot1x and mab authentication. We don't plan on keeping or building out a mac identity group in ISE for wireless client MACs. Is there a way to disable mab on the Meraki for these clients, but keep mab enabled for the AP? Is there a way to truly lockdown the MAB authentication/authorization policy in ISE in this setup?

 

Anyone else encounter something like this?

3 Replies 3
RaphaelL
Kind of a big deal
Kind of a big deal

Hi ,

 

So you are saying that the MX is trying to auth every single client behind the MR ? 

 

I don't think you can solve that issue tbh... 

 

If the port was configured in a trunk it wouldn't do that but you would lose the 802.1X auth of your AP since you can't have .1X on a trunk port.

danxr
Comes here often

 

Yes, it would appear so (based on meraki event logs). Does the issue have to do with multiple host auth on Merakis?

 

Is there an effective way to apply NAC to the MX interfaces with an MR connected to it?

PhilipDAth
Kind of a big deal
Kind of a big deal

I don't think so.  I think the closest you could manage would be SecurePort between an MR and an MS (not an MX).

https://documentation.meraki.com/MS/Access_Control/SecurePort_(formerly_known_as_SecureConnect)

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels