topic Re: Query Regarding RADIUS Client Configuration for DHCP-Based Wireless Access Points in Wireless

Query Regarding RADIUS Client Configuration for DHCP-Based Wireless Access Points

Ajesh1 — Mon, 02 Jun 2025 15:38:17 GMT

Hi Team,

I have multiple wireless access points connected to the network that obtain their IP addresses via DHCP. As a result, their IP addresses change periodically.

I need to configure these APs as RADIUS clients in Windows NPS. However, since NPS requires an IP address or DNS name to identify RADIUS clients, using dynamic IPs directly is not feasible in this case.

Could you please advise if there is a way to configure these APs as RADIUS clients using their MAC addresses, or is there any alternative method to handle this scenario without relying on static IPs?

Looking forward to your guidance.

Re: Query Regarding RADIUS Client Configuration for DHCP-Based Wireless Access Points

ww^ — Mon, 02 Jun 2025 15:42:33 GMT

Put all AP's management in a single/same vlan

Then add the whole subnet used by that vlan to the radius

Re: Query Regarding RADIUS Client Configuration for DHCP-Based Wireless Access Points

Ajesh1 — Mon, 02 Jun 2025 15:48:17 GMT

Do you mean placing all the access points in a single VLAN and using the gateway IP address of that VLAN as the RADIUS client in NPS?

Re: Query Regarding RADIUS Client Configuration for DHCP-Based Wireless Access Points

ww^ — Mon, 02 Jun 2025 15:49:58 GMT

Not the gateway. Just the whole subnet assigned to that vlan.

For example 192.168.1.0/24

From ai:

Here's how to do it:

Open NPS Console: In Server Manager, click on "Tools," then "Network Policy Server".

Access RADIUS Clients: In the NPS console, expand "RADIUS Clients and Servers" and right-click on "RADIUS Clients".

Add a New Client: Choose "New".

Configure Client:

Enter a "Friendly name" for the client.

In the "Address (IP or DNS)" field, enter the subnet in CIDR notation (e.g., 192.168.1.0/24).

Re: Query Regarding RADIUS Client Configuration for DHCP-Based Wireless Access Points

aleabrahao — Mon, 02 Jun 2025 15:52:10 GMT

You can just make an IP reservation for the APs on your DHCP server and the problem is solved.

Re: Query Regarding RADIUS Client Configuration for DHCP-Based Wireless Access Points

Ajesh1 — Mon, 02 Jun 2025 15:53:38 GMT

Thanks, I'll try that approach.

Just one more question — if we place all the APs in a dedicated VLAN and use the subnet of that VLAN as the RADIUS client in NPS, can we still connect end-user devices (like laptops and phones) in the same subnet/VLAN?

Will there be any impact or potential issues with this setup?

Re: Query Regarding RADIUS Client Configuration for DHCP-Based Wireless Access Points

martin-lystad — Mon, 02 Jun 2025 17:13:33 GMT

From a security and management perspective i would keep them separated. Otherwise it will not pose any issues having end users in the same vlan as APs and adding that subnet to the client list on the NPS server.

Re: Query Regarding RADIUS Client Configuration for DHCP-Based Wireless Access Points

MerakiGnome — Mon, 02 Jun 2025 19:41:54 GMT

^^ Do this ^^

I always place my Meraki devices in their own Meraki Management VLAN. That way you can add the whole subnet to your NPS

Re: Query Regarding RADIUS Client Configuration for DHCP-Based Wireless Access Points

Philip D'Ath — Mon, 02 Jun 2025 21:47:08 GMT

Add it to NPS using the supernet if you like. Like 192.168.0.0/16. You should only need a single entry for all your APs.

Re: Query Regarding RADIUS Client Configuration for DHCP-Based Wireless Access Points

Brash — Tue, 03 Jun 2025 02:01:01 GMT

The only potential issue is it presents a security risk.

Any of the clients on that VLAN will be able to send RADIUS requests to the NPS server which can allow for malicious actions.

Re: Query Regarding RADIUS Client Configuration for DHCP-Based Wireless Access Points

Rasmus Hoffmann Birkelund — Tue, 03 Jun 2025 19:03:25 GMT

Not sure about NPS but for Cisco ISE, one caveat with just adding the entire Management network in is that then using the Live Log for troubleshooting you will only see the NAD as the subnet, and not the device itself, as the NAD is created on the configured IP address. So if you need to determine which device it authenticating, you'll need to have added the NAD with it's host address, and not the entire network.