Home > Security Appliances > Access Control and Splash Page > MX Access Policies (802.1X)

MX Access Policies (802.1X)

Overview

MX64(W) and MX65(W) Security Appliances support port-based access polices using 802.1X. This feature can be leveraged for deployments where extra authentication is desired for devices that are connecting to the MX.

Use cases

In the case of a teleworker device, these policies can be used to require authentication of devices before they are allowed to connect to a trusted VLAN that can access the corporate site-to-site VPN.

 

Access policies can also be used to provide an additional layer of security in remote sites where there is not staff to prevent users or employees from attempting to connect additional devices to the MX Security Appliance.

Types of Access Policies

There are several different types of access policies that can be configured on an MX Security Appliance. It is important to understand the differences between these policies for appropriate configuration.

Open

An open access policy does not require any authentication for a device connecting to the port.

802.1X

The 802.1X authenticates connecting devices against the configured RADIUS servers by requiring credentials from the device. 

Note: Pcaps taken from the MX will NOT show the EAP conversation between the MX and client.  It will only show the traffic to the radius server.

MAC authentication bypass

Configuring a port for the MAC authentication bypass access policy authenticates devices against the configured RADIUS servers, using the MAC address of the device connected to the port. This access policy does not challenge devices for credentials.

 

MAC authentication bypass is an ideal choice for ports that have connecting devices that do not support 802.1X-based authentication.

Hybrid

The Hybrid authentication access policy leverages both the 802.1X and MAC authentication bypass authentication. A port configured for hybrid authentication will attempt to use 802.1X to authenticate the connected device to the configured RADIUS servers, but will failover to MAC authentication bypass if the connected device does not send any EAP traffic.

 

If attempts to authenticate a connected device using 802.1X and MAC authentication are unsuccessful, ports configured for hybrid authentication will continue to try to authenticate the device using both methods. 

 

The device will be granted access if authentication is successful using either 802.1X or MAC authentication bypass.

Configuration

MX access policies are configured from the Security Appliance > Addressing & VLANs page in Dashboard.

 

Begin by ensuring that VLANs are enabled in the Routing section of the Addressing & VLANs page.

 

This will reveal the Per-port VLAN configuration options, where we will configure our access policies.

Screen Shot 2016-03-10 at 3.19.41 PM.png

To configure an access policy for a particular port, click on the port in the Per-port VLAN configuration table. Access policies can also be configured for multiple ports by selecting the desired ports using the check boxes and clicking the Edit button.

 

This will bring you to the Configure MX LAN ports menu. To configure the access policy:

  • Set the Enabled status to enabled
  • Set the Type to access
  • Select the appropriate VLAN
  • Choose the type of Access policy that should be used
  • Hit Add a RADIUS server to configure at least one RADIUS server for authentication
    • In the Host field, specify the IP address used to reach the RADIUS server
    • Specify the Port the RADIUS server is available on
    • Input the shared secret used by the RADIUS server in the Secret field  

 

 

Once the access policy has been configured for an MX LAN port, the Access policy column of the Per-port VLAN configuration table will update accordingly.

 

 

You must to post a comment.
Last modified
15:14, 11 Oct 2017

Tags

Classifications

This page has no classifications.

Explore Meraki

You can find out more about Cisco Meraki on our main site, including information on products, contacting sales and finding a vendor.

Explore Meraki

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can keep track of the latest announcements, find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community