Setup RADIUS Authentication for wired clients

Solved
dade80vr
Getting noticed

Setup RADIUS Authentication for wired clients

Hi.

I need to setup Radius Auth for wired (not wireless) clients grouped in a VLAN by an MX, because i need that LAN clients show splash page and do a login with their Active Directory credentials before surfing on internet.

 

I've configured NPS in Windows Server 2019 in the same VLAN (inside the MX network), but the question is: can i point to my NPS private IP in Meraki "access control" page and do a port forwarding of port 1812/UDP from Meraki Cloud IPs ?

Documentations speaks to setup a public IP to the Radius Server, but i cannot expose this host.

 

Have you got a guide?

Meraki official docs speak a lot for wireless access, not wired.

 

Thank you.

 

1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal

>could be a NPS server inside my network and not public exposed or must be public?

 

If you are using that method it has to run over the Internet.  You can NAT through udp/1812 to your RADIUS server.

View solution in original post

11 Replies 11
CptnCrnch
Kind of a big deal
Kind of a big deal

Stupid question perhaps, but: which MX model supports Wired 802.1x on its ports?

dade80vr
Getting noticed

I'm asking because i don't know the answer 🙂

So, do you think that is not possible to target a Radius in wired VLAN ?

 

Security SD-WAN --> configure --> access control says that is possbile to sign-on with "my radius server"

 

If no, how can reach this target on other ways?

 

 

GreenMan
Meraki Employee
Meraki Employee

This is the document you're after, I think:  https://documentation.meraki.com/MX/Access_Control_and_Splash_Page/MX_Access_Policies_(802.1X)

 

This is the first line of the overview, which outlines the supported platforms:   

"MX64/65(W) and MX67/68(C/W) and Security Appliances as well as Z3(C) Teleworker Gateways support port-based access policies using 802.1X. This feature can be leveraged for deployments where extra authentication is desired for devices that are connecting to the MX."

I would add that access policies for MX/Z3 do not offer the same flexibility as for MS switches.  If you have sophisticated needs (which tends to come with the client density which would also drive a need for the extra LAN ports), I would recommend choosing 'smaller' MX (e.g. MC67) and pair it with dedicated MS switches, rather than going for (say) an MX68.

dade80vr
Getting noticed

Thank you for the link.

 

But need is very simple: do a login on a spash page only to surf on internet (aka captive portal or something similar).

No auth is requested to reach LAN shared folders or print on shared printers..

 

I don't know very well 802.1x autentication and i don't understand if i can reach this need with a simple MX67.

 

dade80vr
Getting noticed

Excuse me, i found the setup page on a MX67, but this MX100 hasn't got Port-based auth

 

But is this valid only for internet access or for whole LAN access? 

For example, can a host on this VLAN comunicate with a file server o same VLAN without do the auth?

 

I searching something only for internet, like captive portal..

dade80vr
Getting noticed

The 802.1X configurations on all Security Appliances are designed for a single-host authentication. Connecting multiple devices on the same port is not recommended.

 

No, this is not what i am looking for.

GreenMan
Meraki Employee
Meraki Employee

If splash page is your particular ask, then this will apply:   https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Splash_Page#MX_Splash...

 

I see you found that already, in Dashboard -  and that the multi-client recommendation puts it out for you  (😕).   It's worth knowing that the authorisation, on that basis - if you did adopt it - is an on/off switch.   Assuming the VLANs on your site are all routed by your MX, by default authenticated clients would be able to access all those.   You could limit any access between them (and to the Internet, of course) using the MX Firewall features.

 

Note that, if you're also using VPN, you would need to control any access to remote subnets over VPN tunnels separately, using VPN firewall rules under Security & SD-WAN > Configure > Site-to-site VPN

dade80vr
Getting noticed


@GreenMan wrote:

If splash page is your particular ask, then this will apply:   https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Splash_Page#MX_Splash...


Yes, i know.

Splash page depends from access control page: if i set Network access > Sign on with "my radius server" i can setup a Radius IP.

But the main questions is:

 

  1. could be a NPS server inside my network and not public exposed or must be public?
  2. If i do a port forward of 1812/UDP from Meraki Cloud IPs to the NPS private IP, it works?

That page says that:

IP addresses	The Meraki cloud must be able to communicate with your RADIUS servers via the Internet.
Please make sure that:

Your RADIUS servers have public IP addresses (i.e., they are reachable on the Internet).
Your firewall, if any, allows incoming traffic to your RADIUS servers.
You whitelist IP addresses as clients on your RADIUS server as per the firewall information page.

 


@GreenMan wrote:

 

I see you found that already, in Dashboard -  and that the multi-client recommendation puts it out for you  (😕).   It's worth knowing that the authorisation, on that basis - if you did adopt it - is an on/off switch.   Assuming the VLANs on your site are all routed by your MX, by default authenticated clients would be able to access all those.   You could limit any access between them (and to the Internet, of course) using the MX Firewall features.

 

Note that, if you're also using VPN, you would need to control any access to remote subnets over VPN tunnels separately, using VPN firewall rules under Security & SD-WAN > Configure > Site-to-site VPN


Right 

PhilipDAth
Kind of a big deal
Kind of a big deal

>could be a NPS server inside my network and not public exposed or must be public?

 

If you are using that method it has to run over the Internet.  You can NAT through udp/1812 to your RADIUS server.

dade80vr
Getting noticed


@PhilipDAth wrote:

>could be a NPS server inside my network and not public exposed or must be public?

 

If you are using that method it has to run over the Internet.  You can NAT through udp/1812 to your RADIUS server.


Already did, let me do other tests tomorrow.

In your opinion i must insert PUBLIC or private IP address on Radius Server host in Access Control page ?

 

Thank you all guys.

PhilipDAth
Kind of a big deal
Kind of a big deal

Public.  The splash page is hosted externally.

Get notified when there are additional replies to this discussion.