Hi,

I have this weird problem with 802.1x and mab authentication when I'm also trying to authenticate the access point itself before granting it access to the network.

The Meraki APs are using ISE as radius on both SSIDs. I use 802.1x with ISE for office SSID and MAB for guest SSID.

I've set 2 different SSID's with ISE as radius, trunked the APs to cisco switches and I use tags so that each APs uses different VLANs for each SSID based on different building(this where tags come in place).

So far all is good and everything is working as expected, people can use any of the 2 SSIDs(guest or office) without any problems.

Now here comes the fun part, as I don't like the access points being connected on a switch port without any authentication I have enabled MAB auth on the port(as the meraki APs don't support 802.1x to authenticate themselves) and using ISE profiling + MAB I now have a policy that authorize the APs with the right access. But the problem is as the clients MAC addresses appear on the same port, the switch will try to authenticate using MAB those clients as well. And guess what if a PC was used on the guest network which is still active the switch will authenticate that PC and give it guest access even if that PC is actually connected to the APs on the 802.1x SSID(office network).  

Has anyone seen this problem or has anyone tried to authenticate the APs with your radius server?

Is there a way to make the switch authenticate only the AP and leave everything else alone as those are authenticated by the AP anyway?

Am I missing something or I should keep the port where the access point is connected without any MAB/802.1x configuration as that's not somethign that can be done at this point?

Let me know if you need more details or if I wasn't very clear on what I'm trying to do.

Thank you,

Dan