topic Re: Wireless RADIUS concentrator in Wireless

Wireless RADIUS concentrator

Billy3 — Wed, 18 Apr 2018 05:47:14 GMT

I have a network consisting of a few sites connected through VPN (Hub/Spoke) with several access points and I want to provide certificate based authentication for a specific SSID through the NPS server.

Having to configure several IPs as a source on the NPS server is quite time consuming, enabling the Meraki's RADIUS proxy and exposing the server to the internet is definitely not the best option and using a Wireless Concentrator and driving all of the wireless traffic to a single point would result in a non-optimal bandwidth utilization.

Is there any way, or any plans to implement a way of using a single source for all those RADIUS requests? The ability of configuring one of the MX devices as a RADIUS proxy would be a nice feature

Re: Wireless RADIUS concentrator

Philip D'Ath — Wed, 18 Apr 2018 06:27:16 GMT

Did you know you can specify a prefix instead of an individual IP address in NPS? For example, you can use 192.168.0.0/16 to represent a huge number of access points - with a single client entry.

Re: Wireless RADIUS concentrator

Philip D'Ath — Wed, 18 Apr 2018 06:29:38 GMT

Also did you know if you use Systems Manager you can have it deploy a certificate automatically on each machine, for certificate based authentication, and you don't even need NPS? Considering how cheap Systems Manager is - this is quite a good option. WiFi authentication is no longer dependent on any of your infrastructure.

https://documentation.meraki.com/MR/Encryption_and_Authentication/Certificate-based_WiFi_authentication_with_Systems_Manager_and_Meraki_APs

Re: Wireless RADIUS concentrator

Billy3 — Thu, 19 Apr 2018 00:29:01 GMT

@Philip D'Ath wrote:
Did you know you can specify a prefix instead of an individual IP address in NPS? For example, you can use 192.168.0.0/16 to represent a huge number of access points - with a single client entry.

The certificate based authentication is tested and works, however I'd rather not go with a generic /16 definition as a source.

Furthermore, there is an additional SSID that authenticates in NPS servers that I don't manage and pass through firewalls that I also don't manage (merged companies). From a security compliance perspective, there's no way that a /16 definition would be accepted.

Re: Wireless RADIUS concentrator

Philip D'Ath — Thu, 19 Apr 2018 00:32:12 GMT

If you are using an NPS server as a remote proxy for the additional SSID, then all those requests will come from one IP address - that of the remote NPS proxy server.