Are you talking about 802.1x access control? If so, then yes, you are correct when it comes to how to setup Cisco ISE. You need to create you policies in ISE, then when you are ready, add the MX IP address with the Radius credentials as a NAD in ISE, then on the desired switchport/SSID on the MX, add the ISE server IP, secret key, and ports.
The Meraki cloud must be able to communicate with your RADIUS servers via the Internet.
Please make sure that:
Your RADIUS servers have public IP addresses (i.e., they are reachable on the Internet). Your firewall, if any, allows incoming traffic to your RADIUS servers. You whitelist IP addresses as clients on your RADIUS server as per the firewall information page
As reading , seem like ise need to be reachable from the cloud ? what does it mean ?
What I think that is referring to is if/when you have a customer-hosted RADIUS on your premises, then you would need to open up UDP/1812 inbound on your perimeter firewall in order for outside clients to be able to authenticate inbound against your RADIUS server.
Not sure if that was the design you were implementing but if that's how you have it configured, it should be reflected under Help > Firewall Rules. This is typically seen when configuring splash page sign-on via RADIUS.
Alternatively, maybe you were looking to simply have the SSID auth against your internal RADIUS, so perhaps this doesn't involve splash or opening up anything from the outside to get to your RADIUS. Maybe it's just in the association section (not the splash page section) that you choose Enterprise auth with my RADIUS server, and then if you want you could still have a click-thru splash page. Sorry if I misunderstood the question. Some pretty good docs on this also https://documentation.meraki.com/Special:Search?q=radius
And how about sending configuration through API? I've automation project related to Meraki MX Access Control and really appreciate if you've documentation about this subject 🙂 Note: I've already checked this document: https://developer.cisco.com/meraki/api but none of it has MX Access Control API (including GET & POST method)