IoT devices fail to connect on Meraki switches with Hybrid authentication

In this topic, you will learn why IoT devices fail to connect to Meraki switch ports when Hybrid authentication is used, and what configuration options are available to resolve this issue.

Issue:

  • You try to connect an IoT device (for example, a printer or a security camera) via Ethernet to a Meraki switch port.

  • On the Meraki switch, you choose the following Access policy type: Hybrid authentication.

  • Your IoT device fails to connect to the network.

Environment

This is not a Portnox-specific issue but a Meraki issue, which also effects many other solutions. The issue affects all Meraki switches when Access policy type is set to Hybrid authentication. It has been reported by other Meraki customers using other RADIUS services, too.

Cause

When Hybrid authentication is active, a Meraki switch waits for an EAPOL-Start message from the device for a fixed (but not configurable) amount of time before falling back to MAB authentication. Unfortunately, many IoT devices give up on obtaining a DHCP lease before the switch even initiates MAB, causing the device to fail to join the network.

Resolution

We know of four different solutions of this problem. The solution that you choose should be dependent on your environment and your requirements.

Option 1: Increase access speed

  1. In your Meraki configuration web interface, go to Switching > Access Policies and scroll down to the policy that you want to edit.
  2. Find the Access policy type section with Hybrid authentication selected, and activate the Increase access speed checkbox.

    This setting instructs the Meraki switch to attempt both 802.1X and MAB authentication at the same time.

  3. Save your changes.
Note:
This can lead to an increase in authentication failure alerts in Portnox Cloud. This is because devices configured for 802.1X will successfully authenticate using 802.1X, but typically fail MAB authentication, as their MAC addresses are not whitelisted in a MAB account. This behavior is expected and normal when Increase access speed is enabled on Meraki switches.

Option 2: MAC authentication bypass

  1. In your Meraki configuration web interface, go to Switching > Access Policies and scroll down to the policy that you want to edit.
  2. Find the Access policy type section with Hybrid authentication selected, and change the Access policy type to MAC authentication bypass.

  3. Save your changes.
Note:
802.1X devices will be unable to connect to ports that have this policy applied. If you have dedicated ports for IoT devices, this should not pose a problem. IoT devices connected to these ports will connect on the basis of their MAC addresses.

Option 3: Configure 802.1X on IoT devices

Note:
This option is only possible if all your IoT devices support 802.1X.
  • If your IoT devices do not support certificates: Create a Portnox account in Portnox Cloud specifically for IoT devices, and configure those devices to authenticate using PEAP/MSCHAPv2 with a username and password.
  • If your IoT devices support certificates (EAP-TLS): See the following documentation topic: Redirecting.

Option 4: Static IP addresses

Note:
This option is only possible if all your IoT devices support static IP addresses.
Configure your IoT devices with static IP addresses instead of relying on DHCP.

Since these devices ultimately authenticate via MAB, but often give up on obtaining an IP address via DHCP before MAB completes, assigning static IPs eliminates this issue and you can keep using Hybrid authentication.