Solved: Re: How to simplify MR declaration in a radius Server ?

dimatt45 · ‎10-02-2023

Hello,

I have a Radius Server and lot of MR Access point.

Wifi is protected by Radius authentication.

All the AP have to be declared on the Radius Server for it to work.

How i can declare onfly one IP adresse for all the AP in the same network to simplify the radius configuration ?

I have seen some option like NAS ID, caller ID,...

Do you have any idea ?

Thanks.

Yoeri Oppelaar · ‎10-02-2023

As mentioned by @DarrenOC, go for a per subnet radius client entry on you radius solution.
Radius attributes like NAS ID / Type etc...... cant be used for the authentication of the radius session itself, it will be used when the radius session correctly configured and working, mainly to filter client connection like SSID, connection speed, wireless capabilities, so you can make very specific authorization rules for the clients as radius results.

The only way to use 1 IP for all clients, but in my not the way to go is place as close to the radius server a NAT device who translates al requests, but this makes troubleshooting a real pain in the....... ( to be filled in to you favorite 🙂 )

Also one common practice as we do a lot of Cisco Blue / Meraki or hybrid setups with radius ( mainly Cisco ISE), we make 2 mgmt vlans, one for the switches and other for the AP's per location, this to make the radius differences between types easier from ISE/Radius perspective.

Hope this helps. if not let us know and help you further
with regards Yoeri

View solution in original post

MerakiGnome · ‎10-02-2023

Instead of configuring each individual AP IP add the IP subnet.

Darren OConnor
https://www.linkedin.com/in/darrenoconnor

ww^ · ‎10-02-2023

Yes, put all meraki hardware in the same vlan and add that subnet to the radius.

Another option is radius proxy

https://documentation.meraki.com/MR/Encryption_and_Authentication/RADIUS_Proxy_for_WPA2-Enterprise_SSIDs

Yoeri Oppelaar · ‎10-02-2023

As mentioned by @DarrenOC, go for a per subnet radius client entry on you radius solution.
Radius attributes like NAS ID / Type etc...... cant be used for the authentication of the radius session itself, it will be used when the radius session correctly configured and working, mainly to filter client connection like SSID, connection speed, wireless capabilities, so you can make very specific authorization rules for the clients as radius results.

The only way to use 1 IP for all clients, but in my not the way to go is place as close to the radius server a NAT device who translates al requests, but this makes troubleshooting a real pain in the....... ( to be filled in to you favorite 🙂 )

Also one common practice as we do a lot of Cisco Blue / Meraki or hybrid setups with radius ( mainly Cisco ISE), we make 2 mgmt vlans, one for the switches and other for the AP's per location, this to make the radius differences between types easier from ISE/Radius perspective.

Hope this helps. if not let us know and help you further
with regards Yoeri

MerakiGnome · ‎10-02-2023

@Yoeri Oppelaar Good idea on the dual mgmt VLANs

Darren OConnor
https://www.linkedin.com/in/darrenoconnor

dimatt45 · ‎10-02-2023

One dedicated vlan for the AP mgmt and declare the subnet on the radius server seem to be the best solution.

Thanks for your help.

aleabrahao · ‎10-04-2023

I'm with @DarrenOC on this one.

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

DainBrammage · ‎10-02-2023

With RADIUS Proxy