Skip to main content
Cisco Meraki

NAC enhancements in MS 14

Overview

Firmware MS 14 brings some significant number of enhancements to the MS 802.1X Access Policy feature-set. This document provides the details into what these enhancement are and how they can be configured in a Meraki Dashboard network.

Requirements, guidelines and limitations

  1. Hardware and software requirements
    Feature Hardware supported Minimum recommended firmware version
    Critical Authentication VLAN

    MS120, MS125,

    MS210, MS225 and MS250

    MS350 and MS355

    MS425 and MS450

    MS 14.29
    (will continue to be updated)
    Failed Authentication VLAN

    MS120, MS125,

    MS210, MS225 and MS250 

    MS350 and MS355

    MS425 and MS450

    MS 14.29
    (will continue to be updated)
     

     
  2. Failed Authentication VLAN is only supported in the Single Host, Multi Host and Multi Domain modes. Access policies using Multi Auth mode are not supported.
     
  3. Configuring Critical Authentication VLAN or Failed Authentication VLAN under an access policy may affect its existing Guest VLAN behavior. Please consult the Interoperability and backward compatibility section of this document for details.
     
  4. If you are part of the feature beta, please also take a look at the Known issues and limitations for the beta section for the latest updates.

Feature additions

The enhancements add, or affect the following functionalities to access policies which are using a customer RADIUS server.

clipboard_e607a1bc2ac22a2b1488ed3416460e3fe.png

  1. Critical Authentication VLAN has been added to provide remediation VLANs for data and voice clients when the RADIUS servers are unreachable.
  2. Failed Authentication VLAN has been added to provide a remediation VLAN for clients that are not authorised by the RADIUS server.
  3. Re-authentication Interval has been added to enable periodic re-authentication of clients which support EAP. 
  4. Guest VLAN function has been modified for better inter-op with Critical and Failed Authentication VLANs, when they are specified. Please refer to the Interoperability and backward-compatibility section for more details on this.

Failed Authentication VLAN

A client device connecting to a switchport controlled by an access-policy can be placed in the failed authentication VLAN if the RADIUS server denies its access request. 

Client devices may fail RADIUS authentication because they do not comply with the network's security requirements. The failed authentication VLAN provides such clients with limited access to network for remediation purposes.

Re-authentication Interval

When the Re-authentication Interval is specified, the switch will periodically attempt authentication for clients connected to switchports with access policies. Apart from providing for a better security policy by periodically validating client authentication in a network, the re-authentication timer is also enable the recovery of clients placed in the Failed Authentication because of incomplete provisioning of credentials.

Suspend Re-authentication when RADIUS servers are unreachable

Period re-authentication of clients can be an issue when RADIUS servers are unreachable. The Suspend Re-authentication when RADIUS servers are unreachable disables the re-authentication process when none of the RADIUS servers are reachable.

Critical Authentication VLAN

The critical authentication VLAN can be used to provide network connectivity to client devices connecting on switchports controlled by an access-policy when all the RADIUS servers for that policy are unreachable or fail to respond to the authentication request on time.

When the RADIUS servers are not reachable from the switch, authentication requests for clients attempting to connect to the network will fail, resulting in clients being denied access. Critical authentication VLAN ensures that these clients are still able access the business-critical resources, by placing them in separate VLAN, also allowing network administrators better control the network access available to clients when their identities cannot be established using RADIUS.

Suspend port bounce

When connectivity between the switch and any of the RADIUS servers is restored, the switch will attempt to authenticate the clients which it had placed in the Critical Authentication VLAN. The switch does this by bouncing (turning off and on) the switchports on which these clients are connected. If required, this port-bounce action can be disabled by enabling the Suspend port bounce option. When port-bounce is suspended, the clients will be retained in the Critical Authentication VLAN until a re-authentication for these clients is manually triggered.

Configuring Critical or Failed Authentication VLANs

To configure the critical authentication VLAN,

  1. Navigate to Switch > Access policies.
  2. If creating a new access policy, click on Add an access policy, seen at the bottom of the list of the configured access policies, and select my RADIUS server as the authentication method.
  3. Scroll down to find the Failed Auth VLAN section with options to specify the VLAN. The text-box can be left blank to disable the failed authentication VLAN function.
  4. The Critical Auth VLAN section provides options to specify the Data and Voice VLANs. The text-boxes can be left blank to disable the critical authentication VLAN function.

The critical data and critical voice VLANs should not be the same.

Interoperability and backward-compatibility

Some of the functions of the critical and failed authentication VLANs overlap with those performed by Guest VLANs in Meraki networks. In order to ensure that Guest VLAN functions in existing networks are not adversely affected, the critical and failed authentication VLANs will remain inactive until VLANs values are explicitly configured for them.

The following matrix shows the remediation VLAN, in any, that client device would be placed in for the different combinations of the remediation VLAN configuration options and the RADIUS authentication result.

Configured options Authentication result
EAP timeout
(for 802.1X policies only)
RADIUS timeout
(server unreachable)
Authentication Fail
(access-reject)
Guest (existing behaviour) Guest VLAN Guest VLAN Access denied 1
Failed  Access denied Access denied Failed Auth VLAN
Critical  Access denied Critical Auth VLAN Access denied
Guest and Failed Guest VLAN Guest VLAN  Failed Auth VLAN
Guest and Critical Guest VLAN Critical Auth VLAN Access denied 1
Critical and Failed Access denied Ciritical Auth VLAN Failed Auth VLAN
Guest, Failed and Critical Guest VLAN Critical Auth VLAN Failed Auth VLAN

1 When using hybrid authentication without increase access speed (concurrent-auth), a client failing both 802.1X and MAB authentication will also be placed in the Guest VLAN. Please refer to the Access Policy Types section of the MS Switch Access Policies documentation for details.

 

Known issues and limitations for the beta

  1. The Critical Authentication UI does not allow the policy to be saved unless both the data and voice critical authentication VLANs have been specified. 
    Workaround: configure the same value for both, the data and voice critical authentication VLANs.
     
  2. Hybrid policies may not trigger authentication for MAB clients.
    Resolved in MS 14.23+
     
  3. Voice clients may not get access to the network when placed in the Critical Voice VLAN
    Pending release with fix
  • Was this article helpful?