Security

last person joined: 20 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Meraki Wired with CP not matching default wired service

This thread has been viewed 3 times

  • 1.  Meraki Wired with CP not matching default wired service

    Posted May 22, 2019 07:59 PM

    I'm trying to do wired NAC with meraki switches. The default wired service is no mathing any laptop connecting to the port configured for radius. When I remove the Radius:IETF -> Service-Type -> BELONGS_TO -> Login-User(1), Framed-User(2),Authenticate-Only(8) and then add Connection -> Protocol -> EQUALS -> RADIUS and Radius:Cisco -> Cisco-AVPair -> BEGINS_WITH -> audit-session-id it mathces but then it also matches MAC auth attemps. This stops me from getting IP phones profiled and matching the MAC auth service after the wired auth service. 

    I made the changes to the default wired service to what I could see in the Radius request in the tracker.

     

    Has anyone done Wired auth on meraki kit and got it to match the deafult service or what chnages did you mak to the deafult service to get it to work.



  • 2.  RE: Meraki Wired with CP not matching default wired service

    Posted May 28, 2019 09:20 AM

    I have the same problem.

    I "solved" it by reordering the services, so that MAC Auth (which is more specific) is hinger up in the service list.

    Also disabled "Increase access speed" in the Meraki switch access policy, so it tries dot1x authentication before falling back to MAB.



  • 3.  RE: Meraki Wired with CP not matching default wired service

    Posted May 28, 2019 06:23 PM

    Thanks for the reply. Do you have TLS as auth method, and do you use TLS for machine and user authentication in your policies?
    We do not have auto-enrolment enable for user and machine certificates in the environment yet. I swat the order as you suggest but then all devices that have not rebooted or logged out and back in would not get machine or user authenticated and the match the MAC-Auth service.
    I then added MTU->EXIST to the policy and that seems to work now with the MAC-Auth service below the normal wired 802.1x service.
    The only issue is that without certificates the machine auth attribute is lost as the machine and/or CP doesn't periodically check and update it.
    I can for now then only use user-auth as match with AD attributes. I will test again as soon as we have certificates on the Machines.



  • 4.  RE: Meraki Wired with CP not matching default wired service

    Posted May 29, 2019 08:50 AM

    We have not implemented TLS yet, just EAP-PEAP with AD-auth for user devices and MAC-auth with profiling for other devices.

     

    We've used the default MAC Auth service and modified the wired 802.1x service to not include any IETF service-type.



  • 5.  RE: Meraki Wired with CP not matching default wired service
    Best Answer

    Posted May 30, 2019 01:04 AM
      |   view attached

    Yeah that is the same as what I have now. I removed teh IETF service type as well but added Radius:IETF -> Framed-MTU -> EXISTS. I could then keep the order of the wired service above teh MAC-Auth service.

    I added a screenshot below. Mine is working as expected now.