Meraki AP dot1x for clients and mab for AP auth

Rashu
Comes here often

Meraki AP dot1x for clients and mab for AP auth

Hi,

 

I have this weird problem with 802.1x and mab authentication when I'm also trying to authenticate the access point itself before granting it access to the network.

The Meraki APs are using ISE as radius on both SSIDs. I use 802.1x with ISE for office SSID and MAB for guest SSID.

I've set 2 different SSID's with ISE as radius, trunked the APs to cisco switches and I use tags so that each APs uses different VLANs for each SSID based on different building(this where tags come in place).

So far all is good and everything is working as expected, people can use any of the 2 SSIDs(guest or office) without any problems.

 

Now here comes the fun part, as I don't like the access points being connected on a switch port without any authentication I have enabled MAB auth on the port(as the meraki APs don't support 802.1x to authenticate themselves) and using ISE profiling + MAB I now have a policy that authorize the APs with the right access. But the problem is as the clients MAC addresses appear on the same port, the switch will try to authenticate using MAB those clients as well. And guess what if a PC was used on the guest network which is still active the switch will authenticate that PC and give it guest access even if that PC is actually connected to the APs on the 802.1x SSID(office network).  

Has anyone seen this problem or has anyone tried to authenticate the APs with your radius server?

 

Is there a way to make the switch authenticate only the AP and leave everything else alone as those are authenticated by the AP anyway?

 

Am I missing something or I should keep the port where the access point is connected without any MAB/802.1x configuration as that's not somethign that can be done at this point?

 

Let me know if you need more details or if I wasn't very clear on what I'm trying to do.

 

Thank you,

Dan

2 Replies 2
PhilipDAth
Kind of a big deal
Kind of a big deal

That is a tricky one.

 

Can't you do MAB by VLAN (consider a phone with a PC plugged into it)?  If the AP management is in a dedicated VLAN you should be able to just authenticate the AP on that single VLAN, and not do authentication on any other VLANs.

Rashu
Comes here often

Thank you for your suggestion Philip, I don't think there is a way to configure MAB by VLAN, I agree that would have solved my problem but you can't do it on Cisco switches. 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels