Cisco Meraki MS switches offer the ability to configure access policies, which require connecting devices to authenticate against a RADIUS server before they are granted network access. These access policies are typically applied to ports on access-layer switches, to prevent unauthorized devices from connecting to the network .
This article outlines what options are available for entree policies, how to configure entree policies in Dashboard, and configuration requirements for RADIUS servers .
As of MS 9.16, changes to an existing entree policy will cause a port-bounce on all ports configured for that policy .

Host Modes

support for all master of ceremonies modes is immediately available in MS 10.12 .
There are four authentication host modes to choose from :

  • Single-Host (Default)
    With single-host authentication, a connected device will attempt authentication and if it fails to authenticate, the client will be denied access. This mode is recommended for switchports with only one client attached. If multiple devices are connected to the same switchport (for example a device connected via a hub or daisy-chained off of a VoIP phone), only one client will be allowed network access upon successful authentication. All subsequent authentication requests from other clients will be ignored and they will not be granted access as a result.
  • Multi-Domain
    With multi-domain authentication, one device can be authenticated on each of the data and voice VLANs ; if a second device is detected on one of the VLANs, the device will not be granted access. In this manner, Hybrid Authentication is used and Voice VLAN authentication is required. This mode is recommended for switchports connected to a telephone with a device behind the telephone. authentication is freelancer on each VLAN and will not affect the forwarding state of each other.
    Cisco Meraki switches require the follow assign pairs within the Access-Accept ensnare to put devices on the spokesperson VLAN :

    • Cisco-AVPair

      • device-traffic-class=voice
  • Multi-Auth
    With multi-auth, each connected device is required to authenticate. Multiple devices may be connected to each port. After a VLAN is assigned to a host on the port, subsequent hosts must have matching VLAN information or be denied access to the port. Only one client is supported on the voice VLAN. Guest VLANs are not supported in this mode.
  • Multi-Host
    With multi-host, a single successful authentication will put the port into a forwarding state.  All subsequent authentication attempts are ignored. This is recommended in deployments where the authenticated device acts as a point of access to the network, for example, hubs and access points.

Access Policy Types

There are three options available for an access policy in Dashboard :

  • 802.1X (Default)
    When an 802.1X access policy is enabled on a switchport, a client that connects to that switchport will be prompted to provide their domain credentials. If the RADIUS server accepts these credentials as valid, their device will be granted access to the network and get an IP configuration. If no authentication is attempted, they will be put on a “guest” VLAN, if one is defined.
    802.1X access policies are commonly used in enterprise environments, since they can authenticate against the existing domain userbase.
  • MAC Authentication Bypass ( MAB)
    When a MAB access policy is enabled on a switchport, the client’s MAC address is authenticated against a RADIUS server without needing to prompt the user. If the server accepts the MAC as valid credentials for the network, the device will be allowed access.
    MAB access policies are useful for a more seamless user experience, restricting the network to specific devices without needing to prompt the user.
  • Hybrid Authentication
    When a hybrid access policy is enabled on a switchport, the client will first be prompted to provide their domain credentials for 802.1X  authentication. If 802.1X authentication fails, or if the switch does not receive any EAP packets within 8 seconds to begin 802.1X authentication, then the client’s MAC address will be authenticated via MAB. If both methods of authentication fail, the device will be put on a “guest” VLAN, if one is defined.
    Hybrid authentication is helpful in environments where not every device supports 802.1X authentication since MAB exists as a failover mechanic.

MS 802.1X auth flow chart.png

Change of Authorization (CoA)

Meraki MS switches back CoA for RADIUS reauthentication and disjunction american samoa well as port bounce. For more information, please see the follow KB article .

  • URL Redirect Walled Garden (Supported on MS210/225/250/350/355/390**/410/420/425)
    By default option, URL redirect is enabled with CoA. This can be used to redirect clients to a web page for authentication. Before authentication, hypertext transfer protocol dealings is allowed but the substitution redirects it to the redirect-url. The wall garden can be used to limit access to the web waiter merely. This feature of speech will alone be enabled if one or more subscribe switches are in the network. Configurations on this have will be ignored by unsupported switches .

note : UDP/1700 is the default port used by all MS for CoA
**NOTE : MS390s back RADIUS URL-Redirect as of MS15

Other RADIUS Features

  • RADIUS Accounting
    RADIUS Accounting can be enabled to send start, interim-update (default interval of 20 minutes) and stop messages to a configured RADIUS accounting server for tracking connected clients. Meraki’s implementation follows the IETF’s RFC 2869 standard.
    As of MS 10.19, device sensor functionality for enhanced device profiling has been added by including CDP/LLDP information the RADIUS Accounting message (MS120/125/220/225/250/320/350/355/410/425/450). As of 14.19 the MS390 also supports device sensor with enhanced attributes across LLDP, CDP, and DHCP for profiling. 
  • RADIUS Testing
    Meraki switches will periodically send Access-Request messages to these RADIUS servers using identity ‘meraki_8021x_test’ to ensure that the RADIUS servers are reachable.  If unreachable, the switch will failover to the next configured server.
  • RADIUS Monitoring
    In addition to the mechanism in RADIUS Testing, if all RADIUS servers are unreachable, clients attempting to authenticate will be put on the “guest” VLAN.  When the connectivity to the server is regained, the switchport will be cycled to initiate authentication.  Please contact Meraki Support to enable this feature.
    As of MS 9.13, trial messages are sent every 30 minutes .
  • Dynamic VLAN Assignment
    In lieu of CoA, MS switches can still dynamically assign a VLAN to a device by assigned the VLAN passed in the Tunnel-Pvt-Group-ID attribute. It may be necessary to perform dynamic VLAN assignment on a per computer or per user basis. This can be done on your wired network via 802.1x authentication (RADIUS). In order to do so, the following RADIUS attributes must be configured and passed in the RADIUS Access-Accept message from the RADIUS server.  Once these attributes are configured on the RADIUS server, client devices can receive their VLAN assignment dynamically.

     For more information on how to configure with NPS, visit Microsoft’s article on Configuring a Network Policy for VLANs.
    Dynamic VLAN Assignment is not supported on the voice VLAN/domain .

    • Tunnel-Medium-Type: Choose 802 (Includes all 802 media plus Ethernet canonical format) for the Attribute value Commonly used for 802.1X. 
    • Tunnel-Private-Group-ID: Choose String and enter the VLAN desired (ex. “500”)This string will specify the VLAN ID 500.
    • Tunnel-Type: Choose Attribute value Commonly used for 802.1X and select Virtual LANs (VLANs)
  • Guest VLAN
    Guest VLANs can be used to allow unauthorized devices access to limited network resources.  This is not supported on the voice VLAN/domain.
  • Failed Authentication VLAN
    A client device connecting to a switchport controlled by an access-policy can be placed in the fail authentication VLAN if the RADIUS server denies its access request.

    Client devices may fail RADIUS authentication because they do not comply with the network ‘s security requirements. The fail authentication VLAN provides such clients with specify access to network for redress purposes .
    Failed Authentication VLAN is lone supported in the Single Host, Multi Host and Multi Domain modes. Access policies using Multi Auth mode are not supported .

  • Re-authentication Interval
    When the Re-authentication Interval ( time in seconds ) is specified, the switch will sporadically attempt authentication for clients connected to switchports with entree policies. apart from providing for a better security policy by sporadically validating node authentication in a network, the re-authentication timer is besides enable the recovery of clients placed in the Failed Authentication because of incomplete provision of credentials.

    Re-authentication will not occur if no re-authentication interval has been configured, or if a reauthentication-interval has been configured but the switch has lost connectivity all the RADIUS servers listed under ther entree policy.

  • Critical Authentication VLAN
    The critical authentication VLAN can be used to provide network connectivity to node devices connecting on switchports controlled by an access-policy when all the RADIUS servers for that policy are unapproachable or fail to respond to the authentication request on meter.

    When the RADIUS servers are not approachable from the switch, authentication requests for clients attempting to connect to the network will fail, resulting in clients being deny access. critical authentication VLAN ensures that these clients are distillery able access the business-critical resources, by placing them in separate VLAN, besides allowing network administrators better control the network access available to clients when their identities can not be established using RADIUS .
    The critical data and critical voice VLANs should not be the lapp .
    Configuring critical Authentication VLAN or Failed Authentication VLAN under an access policy may affect its existing Guest VLAN behavior. Please consult the Interoperability and backward compatibility section of this text file for details .

  • Suspend port bounce
    When connectivity between the switch and any of the RADIUS servers is restored, the switch will attempt to authenticate the clients which it had placed in the Critical Authentication VLAN. The trade does this by bouncing ( turning off and on ) the switchports on which these clients are connected. If required, this port-bounce action can be disabled by enabling the Suspend port bounce option. When port-bounce is suspended, the clients will be retained in the Critical Authentication VLAN until a re-authentication for these clients is manually triggered .

Interoperability and backward-compatibility in VLAN assignements

If Critical and/or Failed Authentication VLANs are specified in an access policy, the Guest VLAN functionality gets modified to ensure backward-compatibility and inter-op between the configured VLANs. Please denote to the Interoperability and backward-compatibility table below for more details on this .
The following matrix shows the redress VLAN, in any, that customer device would be placed in for the different combinations of the redress VLAN configuration options and the RADIUS authentication consequence .

Configured options Authentication result
EAP timeout
(for 802.1X policies only)
RADIUS timeout
(server unreachable)
Authentication Fail
Guest (existing behaviour) Guest VLAN Guest VLAN Access denied 1
Failed  Access denied Access denied Failed Auth VLAN
Critical  Access denied Critical Auth VLAN Access denied
Guest and Failed Guest VLAN Guest VLAN  Failed Auth VLAN
Guest and Critical Guest VLAN Critical Auth VLAN Access denied 1
Critical and Failed Access denied Ciritical Auth VLAN Failed Auth VLAN
Guest, Failed and Critical Guest VLAN Critical Auth VLAN Failed Auth VLAN

1 When using loanblend authentication without increase entree rush ( concurrent-auth ), a node failing both 802.1X and MAB authentication will besides be placed in the Guest VLAN. Please refer to the Access Policy Types section of the MS Switch Access Policies software documentation for details .
MS 14 is the red lead firmware version required for the follow configuration options .

  1. Failed Authentication VLAN
  2. Re-authentication Interval,
  3. Suspend Re-authentication when RADIUS servers are unreachable
  4. Critical Authentication VLANs
  5. Suspend port bounce

RADIUS Attributes

When an access policy is configured with RADIUS server, authentication is performed using PAP. The follow attributes are present in the Access-Request messages sent from MS throw to the RADIUS waiter .

  • User-Name
  • NAS-IP-Address
  • Calling-Station-Id: Contains the MAC address of the Meraki MS switch (all caps, octets separated by hyphens). Example: “AA-BB-CC-DD-EE-FF”.
  • Called-Station-Id: Contains the MAC address of the Meraki MS switch (all caps, octets separated by hyphens).
  • Framed-MTU
  • NAS-Port-Type
  • EAP-Message
  • Message-Authenticator

eminence : Please refer to RFC 2865 and RFC 3579 for details on these attributes, extra notes for certain attributes are included below .

Creating an Access Policy on Dashboard

  1. On the Dashboard navigate to Configure > Access Policies.
  2. Click on the link Add Access Policy in the main window then click the link to Add a server. 
  3. Enter the IP address of the RADIUS server, the port (default is 1812), and the secret created earlier.
  4. Select the required options, as described above.
  5. Click Save changes


Apply Access Policy to Switch Ports

  1. Navigate to Configure > Switch Ports.
  2. Select the port(s) you would like to apply the access policy to and press the Edit button.
  3. Convert the port type from trunk to access.  Note: you can only apply an Access Policy to an access port.
  4. From the Access Policy drop-down box, select the Access Policy you created and press the Update ports button.


Unmanaged Switches Between MS and Client for RADIUS Authentication

When using PEAP EAP-MSCHAPv2 on an MS switchport, if an unmanaged trade is between the prayer ( exploiter machine ) and the RADIUS node ( MS ) the authentication will fail. The intelligent is explained below :

  • The destination of the eapol (RADIUS exchange) frame is a special multicast address that 802.1D-compliant bridges do not forward. 
  • This destination is labeled as “nearest” in Wireshark which means that the frame should only be forwarded to the next layer 2 device. 
  • If the unmanaged switch is added into the topology between the client and the MS, the next layer 2 device is the unmanaged switch and because the multi-cast nearest address is not meant to traverse multiple switches, the unmanaged switch drops the packets. This prevents the client from being authorized. 

There is a work-around to this but special considerations must be taking before implementing them :

  • This is not due to a fault in the MS but is the way that eapol is designed.
  • It is possible to circumvent this by using MAC based RADIUS authentication. If one machine authenticates via MAC based RADIUS through the MS on an unmanaged switch, the machine that has authenticated will be granted access. It is a workaround and it is less secure and requires more configuration on the NPS and DC.  
reference :
Category : Website hosting

Leave a Reply

Your email address will not be published.