Cisco Meraki Security & SD-WAN appliances (MX, Z-Series, and Secure Routers running MX OS) support 802.1X port-based authentication on their LAN ports. This allows wired devices connecting to the MX to be authenticated against the Cloudi-Fi Cloud RADIUS servers before being granted network access.
This article covers when to use 802.1X on an MX, how to configure it against Cloudi-Fi's RADIUS servers, and the current limitations of the MX implementation.
Use cases
Enable 802.1X on the MX LAN ports when you need to authenticate wired devices connecting directly to the appliance's ports, rather than through a switch. Typical scenarios include:
- Small sites or branch offices where the MX ports also act as the access layer for wired clients (no separate access switch with its own 802.1X support).
- Environments where you want wired clients to go through the same Cloudi-Fi captive portal / RADIUS authentication flow used for Wi-Fi, so wired and wireless access share a consistent authentication and guest management policy.
- Situations where MAC authentication bypass alone isn't sufficient and you want to require credential-based (EAP) authentication, or a fallback between the two (see Hybrid mode below).
If wired clients connect through a managed switch rather than directly to the MX, 802.1X should generally be configured on the switch instead, using the same Cloudi-Fi RADIUS servers.
Prerequisites
- Your Meraki organization synchronized with your Cloudi-Fi tenant (see below).
- The IP address and port of the Cloudi-Fi Cloud RADIUS server(s) to use for authentication.
- The RADIUS shared secret configured for the site/appliance in the Cloudi-Fi platform.
- Administrative access to the Meraki Dashboard for the network containing the MX.
Synchronizing your Meraki organization with Cloudi-Fi
Before configuring 802.1X, the MX's Meraki network must be synchronized with Cloudi-Fi so the appliance is registered as a location in the Cloudi-Fi platform. This is done via the Meraki API integration:
- In the Meraki Dashboard, go to Organization > API & Webhooks and click Generate API Key. Save the key (each Meraki administrator is limited to two API keys).
- In the Cloudi-Fi Admin UI, go to Configuration > Integrations, select Meraki, and click Enable this Integration.
- Choose Automatic synchronization mode (currently the only option), select the Meraki Cloud (World or China), paste the API key, and click Connect.
- Complete the sync wizard: choose how locations are created (from networks or from AP tags), select whether to import MR access points, MX security appliances, or both, and set the scan scope (all networks, or only selected networks/tags).
- Verify the sync in Cloudi-Fi Admin UI > Locations — your Meraki networks should appear as locations, with the MAC addresses of the Meraki devices populated automatically.
Full details: How to enable Cloudi-Fi with Cisco Meraki MX/MR (API).
Configuration steps
- In the Meraki Dashboard, go to Security & SD-WAN > Configure > Addressing & VLANs.
- Scroll to the Per-port VLAN Settings section — this is the "Configure MX LAN ports" menu.
- For the LAN port(s) you want to protect with 802.1X, configure the access policy:
- Set Enabled to enabled.
- Set Type to access.
- Select the appropriate VLAN.
- Choose the Access policy type: Hybrid authentication or 802.1X authentication (see definitions below).
- Click Add a RADIUS server to configure at least one RADIUS server for authentication:
- Host: the IP address used to reach the Cloudi-Fi RADIUS server.
- Port: the port the RADIUS server is listening on.
- Secret: the shared secret configured for that RADIUS server.
- Save the changes.
Repeat step 3 for each LAN port that should require authentication. Add a second RADIUS server entry if you want redundancy.
Access policy types
Hybrid authentication
Hybrid authentication uses both 802.1X and MAC authentication bypass (MAB). A port configured for Hybrid will first attempt 802.1X to authenticate the connected device against the configured RADIUS servers, and will fail over to MAC authentication bypass if the device does not send any EAP traffic.
If both 802.1X and MAB attempts are unsuccessful, the port keeps retrying both methods. The device is granted access as soon as either method succeeds.
802.1X authentication
The 802.1X policy authenticates connecting devices strictly against the configured RADIUS servers, requiring credentials (via EAP) from the connecting device. There is no MAC authentication bypass fallback with this option.
Limitations
- All LAN ports on a given MX, Secure Router, or Z-Series device share the same RADIUS server configuration, even if each port has a different access policy (Hybrid vs. 802.1X) or VLAN.
- The 802.1X implementation on MX OS devices is designed for single-host authentication per port. Connecting multiple devices behind the same port (e.g., through a hub or unmanaged switch) is not recommended and may cause authentication issues.
- Plugging a switch into an 802.1X/Hybrid-enabled MX LAN port is not supported: switches don't run an 802.1X supplicant by default, so on a strict 802.1X port the port stays unauthorized and nothing behind it gets access. On a Hybrid port, the MX falls back to MAC authentication bypass on the switch's own MAC address — if allowed, this opens a single authenticated session that every device behind the switch shares, with no per-device authentication or accounting.
- RadSec is not supported.