Meraki

Community

Radius - Meraki Test

Lagcat
Getting noticed
‎Aug 17 2019 11:10 AM
‎Aug 17 2019 11:10 AM

Radius - Meraki Test

Hi All

 

looking through out ISE box last night (never really use it)

i started to see all the failures for 'meraki_8021x_test' coming through and ISE dropping the requests rather than accepting/rejecting the request

 

from what i understand because these are being dropped the APs constantly requesting every hour for these correct reply and will jump between out primary and backup ISE for requests until so

 

does anyone have a policy with this working in ISE? i am not a great user - i have tried to add an OR section but it seemed to have no effect

 

so at the moment i have 500+ APs sending these test requests hourly and throwing off the errors in the logs

 

Info i found here

 

also it says when it fails there would be a log shown in meraki events but this does not appear.....but i am definalty seeing APs constantly request from ISE multiple time with that username

 

any help or suggestions would be great

 

Cheers

 

 

0 Kudos
5 Replies 5
NolanHerring
Kind of a big deal
‎Aug 17 2019 5:42 PM
‎Aug 17 2019 5:42 PM

Do you have the subnets the access points live on (their IPs) allowed within ISE as a network device?
Nolan Herring | nolanwifi.com
TwitterLinkedIn
0 Kudos
In response to NolanHerring
Lagcat
Getting noticed
‎Aug 17 2019 5:58 PM
‎Aug 17 2019 5:58 PM

Hello

 

yep I am the full subnet ranges allowed but I always have conditions for host/ or domain username and something like #meraki as the vendor

 

i would be happy just being able to change the drop to a reject - atleast this way the AP would get a reposnse

 

i need to look more Monday into this - our ISE box is built through trial and error rather than full knowledge so little things like this end up turning into larger tasks just trying to find the correct policy setting

 

cheers

 

 

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Aug 17 2019 7:14 PM
‎Aug 17 2019 7:14 PM

If it is a big problem you could simply disable RADIUS server testing.

 

Can you configure ISE to send the ACCESS_REJECT rather than filtering it out?  Or could you create an actual user meraki_8021x_test and disable the account, so there is something more real to authenticate with?

peto
Getting noticed
‎Aug 18 2019 12:53 AM
‎Aug 18 2019 12:53 AM

the authentication will always be failed because there is no way to enter password for the test username. Just create the user, set the policy not to drop the failed authentication and hide the test username from the logs.

In response to peto
Lagcat
Getting noticed
‎Aug 20 2019 11:03 PM
‎Aug 20 2019 11:03 PM

thank you,

 

makes sense when you say create the user - I was just doing a policy to says anything matching the Meraki_test without creating it on the ISE box first

 

I will give this a go

 

for the moment we now had TAC looking at out ISE box because we have a bug with out logging causing the primary to crash so we are down to the secondary ISE box only

 

should of just stuck with windows radius would of been a world of ease - but security teams have their crazy ideas of buying boxes for $$$$ and then dumping them off just so they can say they have the product (rant moment)

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.