Solved: Re: SSID Tunneling Radius Interface

stefanzuber · ‎05-16-2023

Hello,

when a SSID is tunneled in L3 roaming mode to a concentrator, the concentrator acts as Radius authenticator. Which will be the source interface / IP of the Radius requests? Is it the WAN IP of the concentrator (in routed mode)? Or is it the Vlan IP and with multiple Vlan‘s are different source IP‘s?used?

Many thanks for your help!

a5it · ‎05-16-2023

When an SSID is tunneled in Layer 3 (L3) roaming mode to a concentrator (like a Meraki MX security appliance or another wireless access point), the concentrator indeed acts as the RADIUS authenticator.

The source IP address of the RADIUS requests in this scenario is typically the IP address of the concentrator's Internet-facing interface (WAN IP). This is because the concentrator is the device interfacing directly with the RADIUS server over the network.

However, the exact behavior may depend on the specific configuration and features of the concentrator. For example, if the concentrator supports multiple VLANs and is configured to use a different source IP for each VLAN, then it could potentially use different source IPs for RADIUS requests coming from different VLANs. But this would typically require specific configuration and is not the default behavior.

View solution in original post

a5it · ‎05-16-2023

When an SSID is tunneled in Layer 3 (L3) roaming mode to a concentrator (like a Meraki MX security appliance or another wireless access point), the concentrator indeed acts as the RADIUS authenticator.

The source IP address of the RADIUS requests in this scenario is typically the IP address of the concentrator's Internet-facing interface (WAN IP). This is because the concentrator is the device interfacing directly with the RADIUS server over the network.

However, the exact behavior may depend on the specific configuration and features of the concentrator. For example, if the concentrator supports multiple VLANs and is configured to use a different source IP for each VLAN, then it could potentially use different source IPs for RADIUS requests coming from different VLANs. But this would typically require specific configuration and is not the default behavior.

aleabrahao · ‎05-16-2023

ChatGPT again?

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

stefanzuber · ‎05-16-2023

Do you mean the answer is wrong or just fake?

a5it · ‎05-18-2023

Hi Stefan_Zuber,

We're powered by A5 IT AI. We trained our system to respond to all tech troubleshooting.

Thank you,

Nick Pitzaferro

Rasmus Hoffmann Birkelund · ‎05-16-2023

When the SSID is in tunnel mode - either Layer 3 roaming or VPN, RADIUS is sourced from the MX vlan IP and forwarded out the WAN interface, regardless if you have more specific entries in the routing table.

#########
LinkedIn ::: https://blog.rhbirkelund.dk/
Like what you see? - Mark as helpful ## Did it answer your question? - Mark it as a Solution 🙂
All code examples are provided as is. Responsibility for Code execution is solely your own.

stefanzuber · ‎05-16-2023

Can this behaviour be changed? Alternate Management Interface etc.?

Rasmus Hoffmann Birkelund · ‎05-16-2023

Nope. Supports recommendation is to move the MX to Passthrough Mode, instead of routed.

#########
LinkedIn ::: https://blog.rhbirkelund.dk/
Like what you see? - Mark as helpful ## Did it answer your question? - Mark it as a Solution 🙂
All code examples are provided as is. Responsibility for Code execution is solely your own.

stefanzuber · ‎05-21-2023

We have done some packet captures. The source interface of the radius requests was the WAN interface, not the L3 vlan interface.