Cisco Meraki MS switches support 802.1X port-based authentication on their switch ports. This allows wired devices — PCs, IP phones, printers, access points, etc. — connecting to the switch to be authenticated against the Cloudi-Fi Cloud RADIUS servers before being granted network access.
This article covers when to use 802.1X on an MS switch, how to configure it against Cloudi-Fi's RADIUS servers, the available authentication modes, and the current limitations of the MS implementation.
Use cases
Enable 802.1X on MS switch ports when you need to authenticate wired devices connecting to the access layer of the network. Typical scenarios include:
- Enterprise/office environments where wired ports need to authenticate users against the existing directory, using the same Cloudi-Fi RADIUS infrastructure as Wi-Fi, for consistent authentication and guest management policy across wired and wireless access.
- Desk setups with an IP phone and a PC daisy-chained through the phone (data + voice on the same port) — covered by Multi-Domain authentication.
- Ports where several independent devices connect and each must authenticate on its own (e.g., shared offices, labs) — covered by Multi-Auth authentication.
- Ports where a single upstream device (a hub or an access point) should open the port for everything behind it — covered by Multi-Host authentication.
- Mixed environments where not every device supports 802.1X and a MAC-based fallback is needed — covered by Hybrid access policies.
Prerequisites
- Your Meraki organization synchronized with your Cloudi-Fi tenant. If this was already done for a Meraki MX or MR integration, the same synchronization covers the MS switches in that organization — see How to enable Cloudi-Fi with Cisco Meraki MX/MR (API).
- The IP address, port, and shared secret of the Cloudi-Fi Cloud RADIUS server(s) to use for authentication.
- Administrative access to the Meraki Dashboard for the organization/network containing the MS switch.
Configuration steps
Configure the organization-wide RADIUS servers. Cloudi-Fi's RADIUS servers must first be added as RADIUS servers at the organization level (host, port, and shared secret for each server). These become available to select from any access policy in the organization.
Create or edit an access policy. Go to Switching > Configure > Access policies and select (or create) the access policy you want to apply.
Set the Authentication (host) mode: Closed (default)
Attach the RADIUS server(s). Scroll to the RADIUS servers section, click Select RADIUS, and check the box next to the Cloudi-Fi RADIUS server(s) this policy should use, then save.
Choose the Access policy type: 802.1X or Hybrid authentication (see definitions below).
Choose the Authentication mode: Multi-Domain, Multi-Auth, or Multi-Host (see definitions below), depending on what's connected to the port (a single PC, a phone + PC, multiple independent devices, or an upstream hub/AP).
Specify a Voice VLAN on the switchport if phones will be connected — this is required for Multi-Domain mode and for voice traffic to be handled correctly after authentication.
Apply the access policy to the relevant switch port(s) under Switching > Configure > Switch ports, and save.
Access policy types
802.1X (default)
When an 802.1X access policy is enabled on a switch port, a connecting client is prompted for domain credentials. If the RADIUS server accepts the credentials, the device is granted access and receives an IP configuration. If no 802.1X authentication is attempted, the device is placed on a "guest" VLAN, if one is defined. This is the standard mode for enterprise environments authenticating against an existing directory/userbase.
Hybrid authentication
With a Hybrid access policy, the client is first prompted for domain credentials via 802.1X. If 802.1X authentication fails, or if the switch receives no EAP packets within 8 seconds, the device's MAC address is authenticated via MAC Authentication Bypass (MAB) instead. If both methods fail, the device is placed on a "guest" VLAN, if one is defined. Hybrid is useful when not every device supports 802.1X, since MAB acts as a failover mechanism.
Authentication modes
Multi-Domain
One device can be authenticated on each of the data and voice VLANs on the same port. If a second device is detected on either VLAN, it will not be granted access. Multi-Domain uses Hybrid authentication, and Voice VLAN authentication is required. This mode is recommended for a switch port connected to a phone with a PC daisy-chained behind it.
Authentication is independent on each VLAN and does not affect the forwarding state of the other VLAN. A Voice VLAN must be specified on the switchport — without it, client devices will be unable to pass traffic properly after authentication.
Multi-Auth
Each connected device must authenticate independently, and multiple devices may be connected to the same port. Once a VLAN is assigned to the first host on the port, subsequent hosts must present matching VLAN information or be denied access.
Multi-Host
A single successful authentication puts the entire port into a forwarding state; all subsequent authentication attempts on that port are ignored. This is recommended for ports where the authenticated device acts as a point of access to the rest of the network — for example, hubs or access points.
Limitations
- Multi-Domain mode requires a Voice VLAN to be specified on the switchport; without it, devices cannot pass traffic properly after authentication.
- Multi-Auth mode supports only one client on the voice VLAN and does not support Guest VLANs.
- Multi-Host mode grants access to every device behind the authenticated device once the first authentication succeeds — there is no per-device authentication, so it should only be used where the connected device (hub/AP) is trusted as the access point to the network.
- RADIUS servers are configured organization-wide; individual access policies select which of those organization-wide servers to use, but the underlying server pool is shared across the organization.
- RADIUS caching is only available on MS390 and Catalyst 9300-M switches.