- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Radius - Meraki Test
Hi All
looking through out ISE box last night (never really use it)
i started to see all the failures for 'meraki_8021x_test' coming through and ISE dropping the requests rather than accepting/rejecting the request
from what i understand because these are being dropped the APs constantly requesting every hour for these correct reply and will jump between out primary and backup ISE for requests until so
does anyone have a policy with this working in ISE? i am not a great user - i have tried to add an OR section but it seemed to have no effect
so at the moment i have 500+ APs sending these test requests hourly and throwing off the errors in the logs
also it says when it fails there would be a log shown in meraki events but this does not appear.....but i am definalty seeing APs constantly request from ISE multiple time with that username
any help or suggestions would be great
Cheers
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
yep I am the full subnet ranges allowed but I always have conditions for host/ or domain username and something like #meraki as the vendor
i would be happy just being able to change the drop to a reject - atleast this way the AP would get a reposnse
i need to look more Monday into this - our ISE box is built through trial and error rather than full knowledge so little things like this end up turning into larger tasks just trying to find the correct policy setting
cheers
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If it is a big problem you could simply disable RADIUS server testing.
Can you configure ISE to send the ACCESS_REJECT rather than filtering it out? Or could you create an actual user meraki_8021x_test and disable the account, so there is something more real to authenticate with?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the authentication will always be failed because there is no way to enter password for the test username. Just create the user, set the policy not to drop the failed authentication and hide the test username from the logs.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thank you,
makes sense when you say create the user - I was just doing a policy to says anything matching the Meraki_test without creating it on the ISE box first
I will give this a go
for the moment we now had TAC looking at out ISE box because we have a bug with out logging causing the primary to crash so we are down to the secondary ISE box only
should of just stuck with windows radius would of been a world of ease - but security teams have their crazy ideas of buying boxes for $$$$ and then dumping them off just so they can say they have the product (rant moment)