Re: Query Regarding RADIUS Client Configuration for DHCP-Based Wireless Access Points

Ajesh1 · ‎06-02-2025

Hi Team,

I have multiple wireless access points connected to the network that obtain their IP addresses via DHCP. As a result, their IP addresses change periodically.

I need to configure these APs as RADIUS clients in Windows NPS. However, since NPS requires an IP address or DNS name to identify RADIUS clients, using dynamic IPs directly is not feasible in this case.

Could you please advise if there is a way to configure these APs as RADIUS clients using their MAC addresses, or is there any alternative method to handle this scenario without relying on static IPs?

Looking forward to your guidance.

ww^ · ‎06-02-2025

Put all AP's management in a single/same vlan

Then add the whole subnet used by that vlan to the radius

Ajesh1 · ‎06-02-2025

Do you mean placing all the access points in a single VLAN and using the gateway IP address of that VLAN as the RADIUS client in NPS?

ww^ · ‎06-02-2025

Not the gateway. Just the whole subnet assigned to that vlan.

For example 192.168.1.0/24

From ai:

Here's how to do it:

Open NPS Console: In Server Manager, click on "Tools," then "Network Policy Server".

Access RADIUS Clients: In the NPS console, expand "RADIUS Clients and Servers" and right-click on "RADIUS Clients".

Add a New Client: Choose "New".

Configure Client:

Enter a "Friendly name" for the client.

In the "Address (IP or DNS)" field, enter the subnet in CIDR notation (e.g., 192.168.1.0/24).

MerakiGnome · ‎06-02-2025

^^ Do this ^^

I always place my Meraki devices in their own Meraki Management VLAN. That way you can add the whole subnet to your NPS

Darren OConnor
https://www.linkedin.com/in/darrenoconnor

aleabrahao · ‎06-02-2025

You can just make an IP reservation for the APs on your DHCP server and the problem is solved.

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Ajesh1 · ‎06-02-2025

Thanks, I'll try that approach.

Just one more question — if we place all the APs in a dedicated VLAN and use the subnet of that VLAN as the RADIUS client in NPS, can we still connect end-user devices (like laptops and phones) in the same subnet/VLAN?

Will there be any impact or potential issues with this setup?

martin-lystad · ‎06-02-2025

From a security and management perspective i would keep them separated. Otherwise it will not pose any issues having end users in the same vlan as APs and adding that subnet to the client list on the NPS server.

MLL

Brash · ‎06-02-2025

The only potential issue is it presents a security risk.

Any of the clients on that VLAN will be able to send RADIUS requests to the NPS server which can allow for malicious actions.

Philip D'Ath · ‎06-02-2025

Add it to NPS using the supernet if you like. Like 192.168.0.0/16. You should only need a single entry for all your APs.

Rasmus Hoffmann Birkelund · ‎06-03-2025

Not sure about NPS but for Cisco ISE, one caveat with just adding the entire Management network in is that then using the Live Log for troubleshooting you will only see the NAD as the subnet, and not the device itself, as the NAD is created on the configured IP address. So if you need to determine which device it authenticating, you'll need to have added the NAD with it's host address, and not the entire network.

#########
LinkedIn ::: https://blog.rhbirkelund.dk/
Like what you see? - Mark as helpful ## Did it answer your question? - Mark it as a Solution 🙂
All code examples are provided as is. Responsibility for Code execution is solely your own.