Meraki

Community

Traffic Shaping rules not apply to RADIUS auth traffic?

KevinH
Here to help
‎Jan 16 2020 12:37 PM
‎Jan 16 2020 12:37 PM

Traffic Shaping rules not apply to RADIUS auth traffic?

Hi guys,

 

I have an MX with two WANs from different ISPs. WAN1 is primary.

 

I authenticate my SSID via RADIUS from a RADIUS-as-a-Service on the internet. This is working.

I configured Client VPN with RADIUS authentication and it's working.

 

My RADIUS-as-a-Service has an option for MFA (TOTP). I want to turn on MFA for Client VPN connections but not wireless connections. I can specify different RADIUS server IPs in the SSID settings and the Client VPN settings. Got that.

 

My RaaS has multiple public static IPs and recognizes by Source IP. So I would like to RADIUS traffic from SSID auth requests to go out WAN1, and RADIUS traffic for Client VPN auth requests to go out WAN2. That way my RADIUS service knows to only ask for MFA from requests coming from WAN2's IP.

 

I made the Traffic Shaping rules in Flow Preferences accordingly. But it looks like RADIUS traffic does not obey these rules. Does anyone know if RADIUS traffic are supposed to obey traffic shaping rules?

 

My Rules are basically:

Protocol:Any  Source:Any  Destination:RaaS-IP-1  DestPort:Any  Preferred uplink:WAN1

Protocol:Any  Source:Any  Destination:RaaS-IP-2  DestPort:Any  Preferred uplink:WAN2

 

I can tell that all RADIUS traffic looks like it's coming from WAN1. This is because the shared key I use for WAN1 works for both wireless and Client VPN. When I use the shared key meant for WAN2, it doesn't work.

0 Kudos
7 Replies 7
jdsilva
Kind of a big deal
‎Jan 16 2020 1:09 PM
‎Jan 16 2020 1:09 PM

I think you mean Internet Flow Preferences, not Traffic Shaping rules?

 

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/MX_Load_Balancing_and_Flow_Preferen...

 

If you have active flows and then add the rules they won't take effect until the current flows timeout due to inactivity, which is 1 hour. 

 

http://blog.brokennetwork.ca | @jdsilva
In response to jdsilva
KevinH
Here to help
‎Jan 16 2020 1:12 PM
‎Jan 16 2020 1:12 PM

Oh, thank you for the info. I will wait one hour and see if it works.

PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jan 16 2020 3:33 PM
‎Jan 16 2020 3:33 PM

I don't believe you will be able to influence which WAN interface particular RADIUS requests are sent from.

 

What the RaaS should be doing is matching on attributes.

They can match on "NAS Port Type" being WiFi (client VPN does not return a port type).

They can also match on "Called Station ID" which identifies both the AP (not commonly used) and the SSID the user is attempting to authenticate to (client VPN again does not return this).

KevinH
Here to help
‎Jan 16 2020 5:02 PM
‎Jan 16 2020 5:02 PM

@jdsilva I waited 3 hours and it did not work.

 

@PhilipDAth Thanks for the reply. Unfortunately my Radius service can't match on attributes. They're pretty basic but they have an MFA feature.

 

I guess I'm out of luck.

0 Kudos
In response to KevinH
jdsilva
Kind of a big deal
‎Jan 16 2020 6:20 PM
‎Jan 16 2020 6:20 PM

Yeh sorry @KevinH, Philip is probably correct here. You can likely influence the SSID RADIUS traffic as that's traversing the MX, but for Client VPN it would originate from the MX and not be subject to the flow preferences. I misunderstood that part. Sorry for the confusion.

http://blog.brokennetwork.ca | @jdsilva
In response to jdsilva
KevinH
Here to help
‎Jan 16 2020 6:37 PM
‎Jan 16 2020 6:37 PM

"You can likely influence the SSID RADIUS traffic as that's traversing the MX..."

 

I can test this. As long as I can influence one it should be good enough. Will report back my finding.

0 Kudos
In response to KevinH
KevinH
Here to help
‎Jan 17 2020 1:11 PM
‎Jan 17 2020 1:11 PM

I could not get this to work however Meraki Tech Support said "Flow preferences should be applied to any WAN bound traffic."

 

Will keep trying.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.