In the section about the Guest access they reference that the policy server needs to be publicly reachable on the internet. I am guessing this is so that the Meraki cloud can communicate with it? Rather than simply have the server wide open to the internet I am wondering if there is a list somewhere that can be used to limit exposure to this server from something more specific? At least only open on specific ports? I want this to be as secure as possible and am thinking there should be a best practice or something with more detail on setting this up. Maybe I am over thinking this too much?
Go to Help > Firewall Info. It will list the IP addresses that you'll need to allow through your firewall. Most of them are outbound rules, so unless your firewall is restricting outbound access, you can ignore those. After you've specified your RADIUS server's information and have a setup configured for RADIUS authentication, you should see an entry for inbound traffic associated with RADIUS. As you'll see, you only need to permit UDP port 1812 (you can do 1813 as well) for the Meraki IP addresses listed in that entry. See attached for an example.