Meraki

Community

Secure Client Radius setup with cloud Radius

612Meraki
Comes here often
3 weeks ago
3 weeks ago

Secure Client Radius setup with cloud Radius

Greetings. Looking for a doc that explains how to do cloud radius based authentication on MX Secure client setup. We are using Scepman and RadiusSaas for device based EAP-TLS and wanting to now use this for device based auth for Secure client vpn. The devices already have the certs in place so maybe it's as simple as just adding in the RadiusSaas cert, address, port shared secret? Hoping to use Intune to push the vpn profile to devices and control which devices are allowed to auth.

I have looked high and low on the Meraki support and RadiusSaas pages, but not quite finding the solution.

Labels:
0 Kudos
6 Replies 6
alemabrahao
Kind of a big deal
3 weeks ago
3 weeks ago

The MX itself doesn’t validate certificates, it passes the request to RadiusSaaS, which does the certificate check (EAP-TLS handshake happens between client and RADIUS).

 

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
KarstenI
Kind of a big deal
Kind of a big deal
3 weeks ago
3 weeks ago

I don't think this is correct (in the context of client VPN, for switches and APs it would be correct). The MX should validate the certificate as the first step and pass the username and password to the RADIUS server as a second step. And with this, I would not use a Cloud RADIUS for the MX because the password protection relies on the completely outdated RADIUS protocol, which is based on MD5 security.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
3 weeks ago
3 weeks ago

Are you using only RADIUS authentication? Then the cert is just passed through to the RADIUS server.

 

Or are you using certificate+prompt for username/password - and having the MX check the certificate first?  If so, follow these instructions.

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/Authentication#Certifi...

 

 

0 Kudos
In response to PhilipDAth
612Meraki
Comes here often
3 weeks ago
3 weeks ago

Trying to do pure device cert radius auth with a cloud radius provider.

0 Kudos
Blue_Bird
Getting noticed
3 weeks ago
3 weeks ago

Check this link:

https://documentation.meraki.com/MX/Client_VPN/Configuring_RADIUS_Authentication_with_Client_VPN_IPs...

 

In response to Blue_Bird
612Meraki
Comes here often
3 weeks ago
3 weeks ago

This appears to be NPS radius. We are looking to do cloud based Radius with a device cert auth. I don't think this is possible yet with the MX VPN?

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.