Skip to main content
Cisco Meraki

SecureConnect

Overview

SecureConnect automates the process of securely provisioning Meraki MR Access Points when directly connected to switch-ports on Meraki MS Switches, without the requirement of a per-port configuration on the switch. With SecureConnect, connecting an MR access point to a switch-port on an MS switch triggers the switch-port to be configured to allow the MR to connect to the Meraki cloud and obtain a security certificate. The MR, subsequently, uses the certificate to identify itself at the switch-port via 802.1X and is allowed access to the network upon successful authentication.

Requirements, guidelines and limitations 

Hardware and software requirements
  1. MS switches: SecureConnect is supported on the following MS switch platforms and firmware versions
    MS Switch Family MS Switch Model Minimum  Firmware Required
    MS200 series MS210 MS 14.15
    MS225 MS 14.15
    MS250 MS 14.15
    MS300 series MS350 MS 14.15
    MS355 MS 14.15
     
  2. MR access points: SecureConnect is supported on the following MR access points and firmware versions
    MR Family MR Models Minimum Firmware Required
    WiFi-5 Wave 2 (802.11ac Wave 2) MR20, MR30H, MR33, MR42, MR42E, MR52, MR53, MR53E, MR70, MR74, MR84 MR27.6
    Wi-Fi 6 (802.11ax) MR45, MR55, MR36, MR46, MR46E, MR56, MR76, MR86 MR27.6
     
What happens to other MS and MR devices in the network?
  1. When enabled, SecureConnect is activated on all the SecureConnect-capable switches in the network. Switches in this network that do not support SecureConnect will continue to function as they would if SecureConnect was disabled..
  2. MR access-points which do not support SecureConnect will not trigger the identification and authentication process or a switchport configuration change. These access-points will continue to function as they would if SecureConnect was disabled.
Configuration and deployment considerations
  1. SecureConnect is not supported in networks bound to configuration templates.
  2. A SecureConnect enabled MS switch will allow a SecureConnect MR access-points to fully connect to the network only if both the switch and the access-point belong to the same Dashboard Organization.
  3. The MR access-point and the MS switch should be directly connected to support SecureConnect.
  4. The LAN IP VLAN should not be configured on the MR access-points using SecureConnect. SecureConnect will automatically place these MR access-points in the same VLAN as the management VLAN of the switch they are connected to. Please refer to the configuration section for more details.

    The management VLAN used by SecureConnect when configuring a port connected to an MR is the VLAN being used by the switch as its management VLAN at the time. This VLAN may differ from the user-configured management VLAN because, when unable to obtain an IP in the configured management VLAN, an MS switch will try to use the other VLANs for management connectivity.

  5. SecureConnect does not apply to LACP aggregate group ports. If an MR access-point that does not support LACP is plugged into a switchport which is part of an LACP aggregate group, the switchport will be disabled by LACP. MR access-points that do support LACP, when plugged into a switchport configured as a part of an LACP aggregate group will continue to function as they would if SecureConnect was disabled.

How things work

  1. In a SecureConnect-enabled Dashboard Network, all SecureConnect MS switches are programmed to identify MR access-points directly connected to them.
  2. When a SecureConnect MR access-point is connected to a switchport on an SecureConnect MS switch, the switch modifies the port configuration to provide network access limited services such as DHCP, allowing the MR access-point to communicate only with the Meraki cloud. If the connected MR access point does not support SecureConnect, no port configuration changes are triggered on the MS switch.
  3. If this is the first time the MR access-point has connected to the Meraki cloud while being enabled for SecureConnect, it is provided a security certificate from by Meraki cloud along with its configuration.
  4. After successfully downloading the configuration and the security certificate, the MR access-point initiates an 802.1X authentication request using the security certificate as its credential.
  5. The SecureConnect MS switch checks with the Meraki cloud to verify the authenticity of the security certificate and confirm that the MR access-point being authenticated belongs to the same Dashboard Organization as the MS switch. 
SecureConnect switchport states and port configuration settings

SecureCoonnect port state machine.png

The following table provides details of the behaviour and the port configuration associated with the different SecureConnect swtichport states.

State State details Port configuration
Disabled SecureConnect is not enabled in the network Switchport retains the last user-defined configuration settings.
Enabled SecureConnect is enabled in the network but the switchport is not connected to a SecureConnect capable MR access-point. Switchport retains the last user-defined configuration settings.
In Progress

A SecureConnect MR access-point is connected to the switchport but it has not yet completed the authentication process.

While the switchport is in this state, the MR communicates with the Dashboard to download the required security certificates along with any user-defined configuration, and attempts to authenticate itself.

If it is the first time that the connected MR has being plugged into a SecureConnect enabled switchport since it was claimed in the Dashbaord Organization, the port may remain in this state for an extended period as the MR is issue the security certificate.

SecureConnect enforced switchport configuration:

Type : Trunk
Native VLAN : Switch Management VLAN
Allowed VLANs : Switch Management VLAN only
Access Policy : Not applicable (internally managed)

Traffic restrictions to allow only communication between the MR and the Meraki Dashboard.

The remaining user-defined switchport settings are retained.

Authenticated The MR has been successfully authenticated via Meraki Auth, using the MR’s security certificate, and has been verified to belong to the same Dashboard Organization as the switch.

SecureConnect enforced switchport configuration:

Type : Trunk
Native VLAN : Switch Management VLAN
Allowed VLANs : All VLANs
Access Policy : Not applicable (internally managed)

The remaining user-defined switchport settings are retained.

Restricted The MR has either failed to authenticate or the authentication process resulted in a timeout.

SecureConnect enforced switchport configuration:

Type : Trunk
Native VLAN : Switch Management VLAN
Allowed VLANs : Switch Management VLAN only
Access Policy : Not applicable (internally managed)

Traffic restrictions to allow only communication between the MR and the Meraki Dashboard.

The remaining user-defined switchport settings are retained.

Configuring SecureConnect in a network

  1. Navigate to SecureConnect under Device Configuration on the Network-wide > General page.
  2. Click 'enable' and review the port settings.
    secureconnect config.png
  3. Save the changes.

Configuration considerations for MR access points

SecureConnect-capable MR access point connected to an MS switch enabled for SecureConnect should not be configured with LAN IP VLAN number. While the other LAN IP settings can be configured, the VLAN field should be left blank (as shown below)

SecureConnect MR configs.png

  • Was this article helpful?