NAC authenticated Meraki AP - Wireless clients not getting an IP address

Jamesfromit
New here

NAC authenticated Meraki AP - Wireless clients not getting an IP address

We are implimenting a OPSWAT NAC to secure our wired and wireless network (Wireless moving from Windows RADUIS)

 

We have set up a test SSID and have been able to authorise clients sucessfully and they get the assigned vlan in the group policy assigned.

 

The issue we have now that we have added a test meraki AP (MR44) to be quthenericated at a MAC level to OPSWAT, which is sucessful but when client connect tpo the SSID on this AP they no longer get an IP, sucessful EAP auth but no IP.

 

Port the Ap is connected to is a trunk and all the vlans are allowed

 

am i missing something ?

8 Replies 8
cmr
Kind of a big deal
Kind of a big deal

What AP was working before for the test SSID?

If my answer solves your problem please click Accept as Solution so others can benefit from it.
Jamesfromit
New here

Yes AP was working fine with all current SSID's and the test one - i.e. clients being authorised and getting IP's.

 

Since chnaging to auth the AP MAC agaist OPSWAT client fail to get an IP

PhilipDAth
Kind of a big deal
Kind of a big deal

Are you saying that you are doing wired authentication on the switch port that the AP plugs into?

Jamesfromit
New here

Yes the Meraki AP is authroised via the wired port based on its mac, then we need to do 802.1x auth for wireless clients connected to the Meraki AP.

 

Switches are Dell N series

 

Port config as below

 

storm-control broadcast level 10
storm-control multicast level 10
description "***AP***"
spanning-tree portfast
switchport mode trunk
switchport trunk native vlan 20
switchport trunk allowed vlan 20,25
authentication host-mode multi-auth
authentication max-users 10
authentication periodic
dot1x timeout tx-period 120
dot1x timeout server-timeout 60
mab
authentication order mab dot1x

 

PhilipDAth
Kind of a big deal
Kind of a big deal

Is the SSID operating in bridge mode?

 

If it is, you must look closely at the switch port.  It sounds like something about the process is not allowing the client.

rhbirkelund
Kind of a big deal
Kind of a big deal

Could it be that you are only allowing up to 10 users on the switch port?

Perhaps you could remove that, or increase it to a large number?

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
Jamesfromit
New here

Not even working for a single device, ring fenced testing to a single device

PhilipDAth
Kind of a big deal
Kind of a big deal

What does the switch log say?

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels