topic Re: Radius Authentication via Access Points in Wireless

Radius Authentication via Access Points

Captain2 — Wed, 21 Aug 2024 14:21:36 GMT

Hi,

We have a "special" setup for one of our sites which have its clients (PCs) connecting through the wifi using radius authentication.

The radius server is physically located at the same site with the clients that try to authenticate.

The traffic flow for all auth requests goes like:

Client (PC) -> AP -> MX -> WWW -> Meraki Cloud

-> Meraki Cloud-> MX -> Radius server

We are concerned about security as some of the packets (UDP 1812) might be intercepted somewhere in between the Meraki Cloud to MX and EAP packets are not encrypted.

I would like to know:

1. The radius packets sent to Meraki Cloud and back to MX are encrypted?
It makes sense that all the traffic that is being sent between MX <> Meraki Cloud is encapsulated and encrypted
But I don't know for sure and maybe as these are UDP1812 they are excluded from being included in the encapsulation?
My question is - is this setup secure or not?

2. Is it possible not to send the packets from APs -> Meraki Cloud just for them to reach back to the inside LAN where the Radius server is?

RADIUS Proxy for WPA2-Enterprise SSIDs - Cisco Meraki Documentation

Regards,

Re: Radius Authentication via Access Points

Raphael_L — Wed, 21 Aug 2024 14:29:50 GMT

Hi ,

Is there a good reason why you are using RADIUS proxy ?

Wouldn't it be easier to use your own RADIUS servers without a proxy ?

Re: Radius Authentication via Access Points

Karsten Iwen — Wed, 21 Aug 2024 14:52:05 GMT

As @Raphletourn says. The typical use-case for the RADIUS-Proxy is if you have branches that don't have IP connectivity to a central RADIUS server.

Re: Radius Authentication via Access Points

Captain2 — Wed, 21 Aug 2024 15:54:08 GMT

Hi RaphaeIL,

Thanks a lot for your quick response!

We actually do have the Radius servers on the same premise as the clients are.
When we tried at the beginning to forward all traffic from the access points directly to the radius servers on premise it didn't work. I figured out that as the access points are "reporting" everything to the Meraki Cloud it has to flow through the Meraki Cloud, and then from there back to the site (and it worked fine so far).

Apparently, it can be done without Meraki Cloud as a proxy, and now I'd like to understand how to actually have ut corrected.

If I change the radius servers ip addresses to point to the servers private ip addresses, then the traffic will never need to traverse through WAN to reach over back again to the local network.

But then how does the access points will be able to reach the radius servers lan?
Both the radius servers and the APs are on different management networks.

For instance, let's say that

the access points are on network 192.168.128.0/24 - VLAN X.

and the radius servers are on network 10.1.1.0/24 - VLAN Y.

both of the vlans are defined on the MX addressing and vlans and have gateways.

Adding routing rules / group policies to allow intervlan routing? Where? How?

Nowadays

Private IPs in inside lan

Best Regards,

Re: Radius Authentication via Access Points

Raphael_L — Wed, 21 Aug 2024 18:58:49 GMT

Hi ,

But then how does the access points will be able to reach the radius servers lan?
Both the radius servers and the APs are on different management networks.

For instance, let's say that

the access points are on network 192.168.128.0/24 - VLAN X.

and the radius servers are on network 10.1.1.0/24 - VLAN Y.

both of the vlans are defined on the MX addressing and vlans and have gateways.

Yes the AP and the RADIUS server(s) need to have IP reachability.

Is the routing done by a MX / MS or something else ? if so you have to make sure that inter-vlan routing is enabled and that UDP 1812-1813 is allowed between these vlans/endpoints.