Skip to main content
Cisco Meraki Documentation

Roaming on Meraki wireless with 802.1X aging time and device limits

802.1X is an IEEE standard for port-based network access control that provides an authentication mechanism for devices wishing to gain access to a LAN or WLAN. Most switching vendors support 802.1X across their access layer switches, and it is commonly used as a means of securing the LAN from unknown or unwanted devices.The aging time parameter is one of several variables defined as a part of the 802.1X IEEE standard.  Port security integrates with 802.1X to reauthenticate hosts when the authenticated and secure MAC address of the host reaches its port security age limit. The device behaves differently depending upon the type of aging, as follows: 

 

Absolute

Port security notifies 802.1X and the device attempts to reauthenticate the host. The result of reauthentication determines whether the address remains secure. If reauthentication succeeds, the device restarts the aging timer on the secure address; otherwise, the device drops the address from the list of secure addressees for the interface.

Inactivity

Port security drops the secure address from the list of secure addresses for the interface and notifies 802.1X. The device attempts to reauthenticate the host. If reauthentication succeeds, port security secures the address again.

This becomes relevant in a Meraki wireless environment when the following two things occur:

1. If a Meraki AP is connected to a switchport with 802.1X port security configured

2. The aging time parameter is configured for the switchport(s) to which the Meraki AP(s) are plugged into

In this scenario, if a client were to roam between two Meraki AP's that were each connected to switchports configured as above, the client would lose connectivity upon roaming between the AP's for roughly the length of time that the aging time was configured. So, if the 802.1X aging time was set to be two minutes, then the client would lose connectivity for roughly two minutes.

Under the hood, here is what would happen:

1. The client associates with the initial Meraki AP

2. The client authenticates successfully using 802.1X, receives an IP address via DHCP, and is granted access to the WLAN

3. The client then tries to roam from one AP to the next

4. The initial AP drops the client

5. The client is reassociated with the new AP

6. The client is automatically reauthenticated via 802.1X

7. The client DOES NOT receive a new IP address until AFTER the aging time expires

8. The aging time expires

9. The client finally receives an IP address via DHCP and is granted access to the WLAN

------------------------------------------

A similar type of problem can also occur if the user has set device limits for the number of MAC addresses that can be associated with a switchport. With Cisco switches, the maximum number of MAC addresses that can be associated with a switchport can be specified using the command 

Router(config-if)# switchport port-security maximum number_of_addresses vlan {vlan_ID |vlan_range

If this command is configured on the switchport to which the Meraki AP is plugged into, the number of devices that can be associated with that particular AP will be limited to the number of MAC addresses specified in the command above.

------------------------------------------

Overall, 802.1X is an important security feature used by a variety of organizations around the world. Be careful when using some of the 802.1X parameters as they can dramatically influence the performance of the LAN.

  • Was this article helpful?