Meraki

Community

About danxr

Re: MR behind a MX with dot1x/mab and ISE for radius. Wireless clients show...

by in Wireless
‎Aug 27 2024 1:19 PM
‎Aug 27 2024 1:19 PM
  Yes, it would appear so (based on meraki event logs). Does the issue have to do with multiple host auth on Merakis?   Is there an effective way to apply NAC to the MX interfaces with an MR connected to it? ... View more

MR behind a MX with dot1x/mab and ISE for radius. Wireless clients show up ...

by in Wireless
‎Aug 27 2024 10:15 AM
‎Aug 27 2024 10:15 AM
I have a wireless client (Windows native supplicant) connecting to a dot1x SSID on a Meraki MR AP. The MR is wired to the MX, and on the MX interface connected to the AP, there is a hybrid access policy. We also run ISE as the radius servers. The intent is to have the MR APs connect with mab auth (ISE has an already populated identity group with the AP MAC addresses), and any other wired or wireless device to use dot1x to authenticate. Everything works fine, but we have come to notice that when wireless clients connect to the SSID, we see both the dot1x and mab authentication. We don't plan on keeping or building out a mac identity group in ISE for wireless client MACs. Is there a way to disable mab on the Meraki for these clients, but keep mab enabled for the AP? Is there a way to truly lockdown the MAB authentication/authorization policy in ISE in this setup?   Anyone else encounter something like this? ... View more
Labels:
© 2024 Cisco Systems, Inc.