Skip to main content

 

Cisco Meraki Documentation

SecurePort

Overview

SecurePort automates the process of securely provisioning Meraki MR Access Points when directly connected to switch-ports on Meraki MS Switches, without the requirement of a per-port configuration on the switch. With SecurePort, connecting an MR access point to a switch-port on an MS switch triggers the switch-port to be configured to allow the MR to connect to the Meraki cloud and obtain a security certificate. The MR, subsequently, uses the certificate to identify itself at the switch-port via 802.1X and is allowed access to the network upon successful authentication.

Requirements, guidelines and limitations 

Hardware and software requirements
  1. MS switches: SecurePort is supported on the following MS switch platforms and firmware versions
    MS Switch Family MS Switch Model Minimum  Firmware Required
    MS200 series MS210 MS 14.15
    MS225 MS 14.15
    MS250 MS 14.15
    MS300 series MS350 MS 14.15
    MS355 MS 14.15
    MS400 series MS410 MS 14.15
    MS425 MS 14.15
    MS450 MS 14.15
     
  2. MR access points: SecurePort is supported on the following MR access points and firmware versions
    MR Family MR Models Minimum Firmware Required
    WiFi-5 Wave 2 (802.11ac Wave 2) MR20, MR30H, MR33, MR42, MR42E, MR52*, MR53*, MR53E*, MR70, MR74, MR84 MR 27.6
    Wi-Fi 6 (802.11ax) MR45, MR55, MR36, MR44, MR46, MR46E, MR56, MR76, MR86 MR 27.6
    Wi-Fi 6 (802.11ax) MR36H MR 28.5
    Wi-Fi 6 (802.11ax) MR28, MR78 MR28.7.1
    Wi-Fi 6E MR57* (Eth0 port only) MR 28.6.1 
    Wi-Fi 6E CW9162, CW9164, CW9166 MR 28.7.1

  * See note below about dual ethernet capable/LACP enabled MR access points

What happens to other MS and MR devices in the network?
  1. When enabled, SecurePort is activated on all the SecurePort-capable switches in the network. Switches in this network that do not support SecurePort will continue to function as they would if SecurePort was disabled..
  2. MR access-points which do not support SecurePort will not trigger the identification and authentication process or a switchport configuration change. These access-points will continue to function as they would if SecurePort was disabled.
Configuration and deployment considerations
  1. A SecurePort enabled MS switch will allow a SecurePort MR access-points to fully connect to the network only if both the switch and the access-point belong to the same Dashboard Organization.
  2. The MR access-point and the MS switch should be directly connected to support SecurePort.
  3. The switchport on which the MR is connected should be enabled, and configured for PoE if the MR is not using a power injector. 
  4. The LAN IP VLAN should not be configured on the MR access-points using SecurePort. SecurePort will automatically place these MR access-points in the same VLAN as the management VLAN of the switch they are connected to. Please refer to the configuration section for more details.

    The management VLAN used by SecurePort when configuring a port connected to an MR is the VLAN being used by the switch as its management VLAN at the time. This VLAN may differ from the user-configured management VLAN because, when unable to obtain an IP in the configured management VLAN, an MS switch will try to use the other VLANs for management connectivity.

  5. SecurePort does not apply to LACP aggregate group ports. If an MR access-point that does not support LACP is plugged into a switchport which is part of an LACP aggregate group, the switchport will be disabled by LACP. MR access-points that do support LACP, when plugged into a switchport configured as a part of an LACP aggregate group will continue to function as they would if SecurePort was disabled.
  6. SecurePort is supported in networks bound to configuration templates. When enabled on a template level, SecurePort-capable MS switches and MR access points in child networks will get SecurePort activated.

How things work

  1. In a SecurePort-enabled Dashboard Network, all SecurePort MS switches are programmed to identify MR access-points directly connected to them.
  2. When a SecurePort MR access-point is connected to a switchport on an SecurePort MS switch, the switch modifies the port configuration to provide network access to limited services such as DHCP, allowing the MR access-point to communicate only with the Meraki cloud. If the connected MR access point does not support SecurePort, no port configuration changes are triggered on the MS switch.
  3. If this is the first time the MR access-point has connected to the Meraki cloud while being enabled for SecurePort, it is provided a security certificate from by Meraki cloud along with its configuration.
  4. After successfully downloading the configuration and the security certificate, the MR access-point initiates an 802.1X authentication request using the security certificate as its credential.
  5. The SecurePort MS switch checks with the Meraki cloud to verify the authenticity of the security certificate and confirm that the MR access-point being authenticated belongs to the same Dashboard Organization as the MS switch. 

 

NOTE:  Supported APs will start off only being able to reach dashboard on the switch management VLAN. The APs will have 3 attempts of 5 seconds each to authenticate If this authentication fails, the switch's port will fall into a restricted state. This might show itself in a couple of ways:

  • Wireless Clients unable to web browse
  • Switchport indicates SecurePort failed

The failed authentication can happen if the AP and switch are in different organizations, or if the AP is not claimed in inventory. 

 

SecurePort switchport states and port configuration settings

clipboard_e387d5f1d029bd236e297733e22c8c3c7.png

The following table provides details of the behaviour and the port configuration associated with the different SecurePort swtichport states.

State State details Port configuration
Disabled SecurePort is not enabled in the network Switchport retains the last user-defined configuration settings.
Enabled SecurePort is enabled in the network but the switchport is not connected to a SecurePort capable MR access-point. Switchport retains the last user-defined configuration settings.
In Progress

A SecurePort MR access-point is connected to the switchport but it has not yet completed the authentication process.

While the switchport is in this state, the MR communicates with the Dashboard to download the required security certificates along with any user-defined configuration, and attempts to authenticate itself.

If it is the first time that the connected MR has being plugged into a SecurePort enabled switchport since it was claimed in the Dashboard Organization, the port may remain in this state for an extended period as the MR is issued the security certificate.

If an authentication is in progress, one can expect the following Alert to generate on the port and AP:
AuthInProgress.pngSecurePort Alert.png
 

SecurePort enforced switchport configuration:

Type : Trunk
Native VLAN : Switch Management VLAN
Allowed VLANs : Switch Management VLAN only
Access Policy : Not applicable (SecurePort)

Traffic restrictions to allow only communication between the MR and the Meraki Dashboard.

The remaining user-defined switchport settings are retained.

Authenticated The MR has been successfully authenticated via Meraki Auth, using the MR’s security certificate, and has been verified to belong to the same Dashboard Organization as the switch.

The following Alerts will be generated by the dashboard/port status:
                               Authenticated Port.png

Success Auth.png

 

SecurePort enforced switchport configuration:

Type : Trunk
Native VLAN : Switch Management VLAN
Allowed VLANs : All VLANs
Access Policy : Not applicable (SecurePort)

The remaining user-defined switchport settings are retained.

Restricted The MR has either failed to authenticate or the authentication process resulted in a timeout.

The following alert will generate on the dashboard and on the port:
                          AuthFailPort.png

Failed Auth Secure.png
 

SecurePort enforced switchport configuration:

Type : Trunk
Native VLAN : Switch Management VLAN
Allowed VLANs : Switch Management VLAN only
Access Policy : Not applicable (SecurePort)

Traffic restrictions to allow only communication between the MR and the Meraki Dashboard.

The remaining user-defined switchport settings are retained.

Configuring SecurePort in a network

  1. Navigate to SecurePort under Device Configuration on the Network-wide > General page.
  2. Click 'enable' and review the port settings.SecurePort Network Wide.png
  3. Save the changes.

Configuration considerations for MR access points

SecurePort-capable MR access point connected to an MS switch enabled for SecurePort should not be configured with LAN IP VLAN number. While the other LAN IP settings can be configured, the VLAN field should be left blank (as shown below)

SecureConnect MR configs.png

Configuring and monitoring SecurePort using API

Configure SecurePort in a Network

Use the PUT /networks/{networkId}/settings request to enable or disable SecurePort in a network. For details of the API request, check the Update Network Settings API documentation.

Example request

PUT /networks/{networkId}/settings
{
    "localStatusPageEnabled": true,
    "localStatusPage": {
        "authentication": {
            "enabled": false,
            "username": "admin"
        }
    },
    "securePort": { "enabled": true }
    "fips": { "enabled": true }
 
}
Check SecurePort status of a Network

To check SecurePort's status in a network, use the GET /networks/{networkId}/settings request. For details of the API request, check the Get Network Settings API documentation.

Example request

GET /networks/{networkId}/settings

{
    "localStatusPageEnabled": true,
    "remoteStatusPageEnabled": true,
    "localStatusPage": {
        "authentication": {
            "enabled": false,
            "username": "admin"
        }
    },
    "securePort": { "enabled": true },
    "fips": { "enabled": true }
}
Check SecurePort status of a switch-port

To check SecurePort's status of a switch-port, use the GET /devices/{serial}/switch/ports/statuses request. For details of the API request, check the Get Device Switch Ports Status API documentation.

Example request

GET /devices/{serial}/switch/ports/statuses

[
    {
        "portId": "1",
        "enabled": true,
        "status": "Connected",
      ...
        "warnings": [
            "SecurePort authentication in progress",
        ],
      ...
        "securePort": {
            "enabled": true,
            "active": true,
            "authenticationStatus": "Authentication in progress",
            "configOverrides": {
                "type": "trunk",
                "allowedVlans": "all",
                "vlan": 12,
                "voiceVlan": null
            }
        }
    }
]