Meraki

Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

NAC authenticated Meraki AP - Wireless clients not getting an IP address

Jamesfromit
New here
Monday
Monday

NAC authenticated Meraki AP - Wireless clients not getting an IP address

We are implimenting a OPSWAT NAC to secure our wired and wireless network (Wireless moving from Windows RADUIS)

 

We have set up a test SSID and have been able to authorise clients sucessfully and they get the assigned vlan in the group policy assigned.

 

The issue we have now that we have added a test meraki AP (MR44) to be quthenericated at a MAC level to OPSWAT, which is sucessful but when client connect tpo the SSID on this AP they no longer get an IP, sucessful EAP auth but no IP.

 

Port the Ap is connected to is a trunk and all the vlans are allowed

 

am i missing something ?

0 Kudos
8 Replies 8
cmr
Kind of a big deal
Kind of a big deal
Monday
Monday

What AP was working before for the test SSID?

0 Kudos
Jamesfromit
New here
Monday
Monday

Yes AP was working fine with all current SSID's and the test one - i.e. clients being authorised and getting IP's.

 

Since chnaging to auth the AP MAC agaist OPSWAT client fail to get an IP

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
Monday
Monday

Are you saying that you are doing wired authentication on the switch port that the AP plugs into?

0 Kudos
Jamesfromit
New here
Monday
Monday

Yes the Meraki AP is authroised via the wired port based on its mac, then we need to do 802.1x auth for wireless clients connected to the Meraki AP.

 

Switches are Dell N series

 

Port config as below

 

storm-control broadcast level 10
storm-control multicast level 10
description "***AP***"
spanning-tree portfast
switchport mode trunk
switchport trunk native vlan 20
switchport trunk allowed vlan 20,25
authentication host-mode multi-auth
authentication max-users 10
authentication periodic
dot1x timeout tx-period 120
dot1x timeout server-timeout 60
mab
authentication order mab dot1x

 

0 Kudos
In response to Jamesfromit
PhilipDAth
Kind of a big deal
Kind of a big deal
Monday
Monday

Is the SSID operating in bridge mode?

 

If it is, you must look closely at the switch port.  It sounds like something about the process is not allowing the client.

0 Kudos
In response to Jamesfromit
rhbirkelund
Kind of a big deal
Kind of a big deal
Monday
Monday

Could it be that you are only allowing up to 10 users on the switch port?

Perhaps you could remove that, or increase it to a large number?

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
In response to rhbirkelund
Jamesfromit
New here
Monday
Monday

Not even working for a single device, ring fenced testing to a single device

0 Kudos
In response to Jamesfromit
PhilipDAth
Kind of a big deal
Kind of a big deal
Monday
Monday

What does the switch log say?

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.