We are migrating away from a Catalyst 2960x switch stack to a Meraki MS210 switch stack. In the 2960x switch stack, we utilized a VLAN interface that acted as the IP address for the entire stack. This way when it came to RADIUS 802.1x authentication, we only had to approve the single VLAN IP address rather than an individual IP address for each switch. I'd like to achieve the same thing with Meraki stack if this is possible. Each switch will be given an IP address for management purposes, but is there a way to funnel all RADIUS authentication traffic through a Layer 3 Interface so that when a client connects and authenticates with 802.1x, the RADIUS server sees the supplicant as the Layer 3 Interface IP address rather than the switch IP address itself?
The source int for RADIUS would be the switches mgmt IP (each switch in a stack). You can optionally use a different mgmt IP. But you cannot configure it to come from a L3 interface of the switch.
Thanks @Ryan_Miles . Once enabled, can I assign the same ALT MGMT IP address to multiple switches of the stack?
Alt mgmt IP just like the regular mgmt IP is a per switch thing. In Meraki stacking mgmt IPs always need to be present per switch.
So in short, there is no way to represent the entire stack as 1 IP address. Specifically for RADIUS Authentication
Correct
With meraki its best to use a management subnet for switch and ap. And add that subnet to the radius.
@ww you are saying have your switch/aps assigned a MGMT network VLAN (assign the switch IP on that network) and add that to the RADIUS server for authentication, but have the endpoints on a separate data VLAN network?
Yes a separate management vlan. Then you can add that vlan/subnet to the radius server so you dont have to add individual ip's.
Data Clients ,servers, voip phones etc. are on other vlans.
Thanks. why is that "best" for Meraki products compared to others?
Wel a separate management subnet is always good so you can restrict traffic to that vlan more easy. But for cisco you always used a wlc and the wlc ip did authentication. And for switches like you said you just used one for a stack. Now at meraki every ap and switch has its own management ip where authentication requests are sourced from. You dont want to add every single of that ip to the radius server.