Home > Switches > Access Control > MS Switch Access Policies (802.1X)

MS Switch Access Policies (802.1X)

Cisco Meraki MS switches offer the ability to configure access policies, which require connecting devices to authenticate against a RADIUS server before they are granted network access. These access policies are typically applied to ports on access-layer switches, to prevent unauthorized devices from connecting to the network.

This article outlines what options are available for access policies, how to configure access policies in Dashboard, and configuration requirements for RADIUS servers.

As of MS 9.16, changes to an existing access policy will cause a port-bounce on all ports configured for that policy.

Host Modes

There are two authentication host modes to choose from:

  • Single-Host (Default)
    With single-host authentication, all connected devices will attempt authentication and an unauthorized device will cause a security violation. This mode is recommended for switchports with only one client attached.
     
  • Multi-Domain
    With multi-domain authentication, one device can be authenticated on each of the data and voice VLANs; if a second device is detected on one of the VLANs, the port will be put into a blocked state.  In this mode, Hybrid Authentication is used and Voice VLAN authentication is required.  This mode is recommended for switchports connected to a phone with a device behind the phone.  Authentication is independent on each VLAN and will not affect the forwarding state of each other.

Multi-Domain is not to be confused with Multi-Authentication; the ability to authenticate multiple hosts on one switchport.
Support for Multi-Domain Authentication is included in MS 9.0.

Access Policy Types

There are three options available for an access policy in Dashboard:

  • 802.1x (Default)
    When an 802.1x access policy is enabled on a switchport, a client that connects to that switchport will be prompted to provide their domain credentials. If the RADIUS server accepts these credentials as valid, their device will be granted access to the network and get an IP configuration. If no authentication is attempted, they will be put on a "guest" VLAN, if one is defined.
    802.1x access policies are commonly used in enterprise environments, since they can authenticate against the existing domain userbase.
     
  • MAC Authentication Bypass (MAB)
    When a MAB access policy is enabled on a switchport, the client's MAC address is authenticated against a RADIUS server without needing to prompt the user. If the server accepts the MAC as valid credentials for the network, the device will be allowed access.
    MAB access policies are useful for a more seamless user experience, restricting the network to specific devices without needing to prompt the user.
     
  • Hybrid Authentication
    When a hybrid access policy is enabled on a switchport, the client will first be prompted to provide their domain credentials for 802.1x authentication. If 802.1x authentication fails, it will deny the client and will not move to MAB authentication.  If the switch does not receive any EAP packets, 802.1x authentication will timeout in 8 seconds, and the client's MAC address will then be authenticated via MAB. If 802.1x authentication timeout and MAB fails, the device will be put on a "guest" VLAN, if one is defined.
    Hybrid authentication is helpful in environments where not every device supports 802.1x authentication since MAB exists as a failover mechanic.

Change of Authorization (CoA)BETA

Meraki MS switches support CoA for RADIUS reauthentication and disconnection.  For more information, please see the following KB article.

  • URL Redirect Walled Garden (Supported on MS225/250/350/410/420/425)
    By default, URL redirect is enabled with CoA.  This can be used to redirect clients to a webpage for authentication.  Before authentication, the client will have access to all HTTP resources.  The walled garden can be used to limit access to the web server only.  This feature will only be enabled if one or more supported switches are in the network.  Configurations on this feature will be ignored by unsupported switches.

If you do not see these options, make sure to contact Meraki Support for the latest beta firmware.

Other RADIUS Features

  • RADIUS Accounting
    RADIUS Accounting can be enabled to send start, interim-update (default interval of 20 minutes) and stop messages to a configured RADIUS accounting server for tracking connected clients. Meraki’s implementation follows the IETF’s RFC 2869 standard. 
     
  • RADIUS Testing
    Meraki switches will periodically send Access-Request messages to these RADIUS servers using identity 'meraki_8021x_test' to ensure that the RADIUS servers are reachable.  If unreachable, the switch will failover to the next configured server.
     
  • RADIUS Monitoring
    In addition to the mechanism in RADIUS Testing, if all RADIUS servers are unreachable, clients attempting to authenticate will be put on the "guest" VLAN.  When the connectivity to the server is regained, the switchport will be cycled to initiate authentication.  Please contact Meraki Support to enable this feature.

     

  • Dynamic VLAN Assignment
    In lieu of CoA, MS switches can still dynamically assign a VLAN to a device by assigned the VLAN passed in the Tunnel-Pvt-Group-ID attribute. For more information, please see the following KB article.
     
  • Guest VLAN
    Guest VLANs can be used to allow unauthorized devices access to limited network resources.  This is not supported on the voice VLAN/domain.

Creating an Access Policy on Dashboard

  1. On the Dashboard navigate to Configure > Access Policies.
  2. Click on the link Add Access Policy in the main window then click the link to Add a server. 
  3. Enter the IP address of the RADIUS server, the port (default is 1812), and the secret created earlier.
  4. Select the required options, as described above.
  5. Click Save changes

Apply Access Policy to Switch Ports

  1. Navigate to Configure > Switch Ports.
  2. Select the port(s) you would like to apply the access policy to and press the Edit button.
  3. Convert the port type from trunk to access.  Note: you can only apply an Access Policy to an access port.
  4. From the Access Policy drop-down box, select the Access Policy you created and press the Update ports button.

You must to post a comment.
Last modified
08:01, 18 Jul 2017

Tags

Classifications

This page has no classifications.

Article ID

ID: 4467

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case