Could it be going crazy if there is a PoE power issue from the connected switch, or is LLDP just broadcasting it's state? ... View more

Thanks, but not seeing any other broadcast traffic being duplicated or similar. The Meraki's are on their own PoE switch, and if I disable the uplink port to our main switch the traffic instantly drops from 5MB/s to nothing (of course), but as soon as I enable the port again it goes mental.   Additionally, if I run the packet capture on the Meraki dashboard, selecting the AP's, this also shows the Meraki sending all of the LLDP broadcasts, so this is definitely coming from the AP itself. ... View more

So kind of got this working with the mac based control and click through, but unfortunately it doesn't send Accounting Interim packets (only Start and Stop) so that's not great for what we need. When using "Sign on with my RADIUS server" it does send Interim updates as it has for many years. Hmm... ... View more

Thanks Rodrigo. This is how most vendors work - if MAC authentication fails (Access-Reject), the user will be redirected to the captive portal page for authentication. If MAC authentication succeeds (Access-Accept) the user is straight online, no captive portal redirect.   I understand Meraki do it slightly differently, in that you must always send an Access-Accept else the client will not be able to even join the WLAN, but we still need some way to redirect them to the captive portal so they can register/login etc ... View more

Interested to know more on what you use the "Called-Station-Id" for when using the proxy, and why the format can't be changed?  🙂   Thanks ... View more

I really don't understand this decision. Why introduce a feature to make it more flexible, then take it away? Is there a technical reason why Meraki can't allow a customised Called-Station-Id format? This means your systems do not match and have no parity.   This will mean customers are not able to use the proxy, because it still uses the BSSID as the Called-Station-Id which is not useful. In your previous reply, you state " The change from BSSID to MAC address does now align with the rest of the industry" - but not if using proxy  🤔 ... View more

What do you mean, you don't support it because you use it? 🙂   If a packet is being proxied from an AP, it should honour the same going through the proxy. If you can customise the NAS-ID when going through the proxy, what's the problem doing the same for Called-Station-Id?   This effectively means the proxy is useless as it can't be set to what it needs to be... ... View more

We could, but it goes against the reason we exists, because customers don't want to install/set up anything that they don't already have. So, we can generally work with any wireless kit just by running our captive portal and RADIUs in the cloud, at no cost or extra software/hardware installed on the customers site. ... View more

I see your point, but the problem is we are not a "customer" but a service provider. We don't own the kit, or install it, or have access to the setup on site. We provide a cloud captive portal/authentication/analytics service, so, it's not easy to ask our customers to configure site-so-site to us as we have thousands of Meraki customers around the globe using our solution and for now, we still can't support MAC authentication with captive portal bypass. ... View more

Hi Rodrigo   Correct, on the Access Control page. This is what I have set:   Association requirements : MAC-based access control  Splash page : None or Click-through   Scroll down to the RADIUS options and set:   RADIUS CoA support: Unchecked RADIUS proxy: Checked   You'll see when you enable the RADIUS proxy option, the new Called-Station-Id option disappears but the NAS-ID option is there!   Thanks ... View more

Thanks for the reply!   We're not using any kind of strange design, nowhere in the documentation does it mention or indicate that you must use a local, on-site based ISE server. Everything is moving off-site to the cloud, including the way Meraki has worked from day one - they are a cloud controller and RADIUS server, with just the AP's on site.   In reality, we're doing no different by hosting our RADIUS server in the cloud, it's just that there seems to be an expectation that an ISE server locally which isn't practical when you are a large service provider.   Therefore, I feel Meraki should make it possible to proxy this traffic/feature or at least some API service so that we can send the CoA to the Meraki cloud, which can then send the signal direct to the relevant AP, without any firewall/port forward mess.   The problem actually arises because Meraki are the only vendor I know that do not support MAC authentication with proper captive portal bypass. They do not allow you to select both MAC-based access control along with splash sign on via RADIUS server. So, their recommendation is to use the ISE option, which, in its current state, is one step forward and two steps back 🙂   ... View more

Thanks Rodrigo!   This is also a similar query - wondering if you might be able to answer?   https://community.meraki.com/t5/Wireless-LAN/Mac-based-authentication-with-ISE-cloud-RADIUS-server-and-CoA/m-p/119165#M17008   Thanks   James ... View more

Thanks, can you elaborate any further?   Do we need to set up a new SSID in Meraki and use the same VLAN ID, or can it use the same SSID? What SSID should we configure the splash page settings/RADIUs for in case of the MAC authentication being rejected?   It seems a strange way of doing it... ... View more

Something I noticed... when you enable the RADIUS proxy option, the setting for the Called-Station-Id format disappears, but the NAS-ID format option is there.. this seems a little odd and I don't understand why you still can't set both?   Without proxy:         With proxy:       Bug, or something else?   Thanks   J ... View more

Brilliant, thanks for that.   ... View more

Thanks! I'll await the update. ... View more

Brilliant so what you are confirming is that in MR28, by default, without the customer logging in and making a change, it will now start sending the AP MAC address in the Called-Station-Id by default (unless configured otherwise), and now include the NAS-ID and the two extra Meraki vendor specific attributes?  😁 ... View more

Having tested the new MR28 release it now sets the Called-Station-Id to the AP MAC address, and also includes a couple of extra attributes by default so that's great. ... View more

Thanks Rodrigo   A couple of observations:   On our existing WPA2 enterprise SSID, after upgrading to MR28, it started using the new Called-Station-Id settings without me setting/changing anything on the Meraki dashboard. Also, when I created a new SSID and set it to MAC-based control only, and configured basic radius servers, it too automatically uses the new Called-Station-Id settings without me setting anything.   It seems the default setting for both Called-Station-Id and NAS-ID is "AP MAC address::SSID Name" / "AP MAC address::SSID Number" respectively - is this correct? (This is good for us, not complaining!)   Prior to MR28, when I connect to the SSID, it sent the following packet:     User-Name = "112233445566" User-Password = "" NAS-IP-Address = 0.0.0.0 Called-Station-Id = "0C-8D-DB-11-22-33:Free_WiFi" Calling-Station-Id = "99-88-77-66-55-44" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b"     and since MR28 we now see:     User-Name = "112233445566" User-Password = "" NAS-IP-Address = 192.168.1.89 ++ Service-Type = Call-Check >> Called-Station-Id = "0C-8D-DB-11-22-33:Free_WiFi" Calling-Station-Id = "99-88-77-66-55-44" >> NAS-Identifier = "0C-8D-DB-11-22-33:vap1" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" ++ Meraki-Device-Name = "0c:8d:db:11:22:33" ++ Meraki-Network-Name = "Test - wireless"     The lines marked >> are the new, configurable ones and the ones with ++ are now being included as extra, which is great. Is this what is to be expected?   Does this mean that once a customer upgrades to MR28, it will automatically start sending the new extra attributes, and changes the Called-Station-Id and NAS-ID to the default format as per above (which is much better than sending the BSSID MAC)   Again, not a complaint (been waiting for this for years), just ensuring I have my facts correct.   Thanks,   James ... View more

Great - can you tell me, the new RADIUS options for Called-Station-Id and NAS-ID, what RADIUS requests do they affect?   Does it change all RADIUS traffic, even Captive portal RADIUS, or just 802.1x. Is MAC authentication also included?   At present, without setting any of the new options, captive portal RADIUS traffic uses the AP MAC address as the Called-Station-Id, but 802.1x and MAC authentication uses the BSSID MAC instead.   Thanks,   James ... View more

Hi Alexander   Might you be able to provide some more detail/documentation around this in particular:   [New] RADIUS enhancements (e.g., NAS-ID configuration, Called-Station ID configuration)   Thanks,   J ... View more

Thanks for your reply, and appreciate you updating the article in the past.   So, if what you're saying is correct, this would affect MAC authentication requests too, or just 802.1x (WPA-enterprise)? What about captive portal authentication, which already sends the real AP MAC address as Called-Station-Id?   What is the purpose of the option to add multiple choices for the Called-Station-Id and NAS-ID? Is this to append more than one to the attribute value (with a delimiter?), e.g. if I select #1 as AP MAC address and then #2 as SSID name it would send:   Called-Station-Id = 00-18-0A-11-22-33:SSIDName   This is definitely welcomed news, providing it doesn't mess up the existing Captive portal Called-Station-Id setup which is already good.   Finally, I just wish Meraki are able to send some better attributes in the 802.1x/Mac auth Access-Request, as it's so basic. Even the accounting packet has a lot more, but not the Access-Request:     Access-Request (1), id: 0xdd, Authenticator: f07ee2f820b20568bd6bc3fdd7625fc2 User-Name Attribute (1), length: 14, Value: 001122334455 User-Password Attribute (2), length: 18, Value: NAS-IP-Address Attribute (4), length: 6, Value: 192.168.96.6 Called-Station-Id Attribute (30), length: 44, Value: 8A-15-14-AF-9A-A8:SSID NAS-Port-Type Attribute (61), length: 6, Value: Wireless - IEEE 802.11 Calling-Station-Id Attribute (31), length: 19, Value: 00-11-22-33-44-55-66     If it could include some of the same attributes like the Accounting request, for example the Meraki Vendor Specific like AP Name or even something that at least tells me its from a Meraki AP that would be good. This way I don't have to rely on figuring out BSSID's.   Thanks!   J ... View more