802.1x enabled SSID

SOLVED
Aneeshram
Here to help

802.1x enabled SSID

802.1x enabled SSID’s.

In order to explain what I am trying to ask, I will first relate to the scenario using a Cisco WLC solution so that you can understand my question a bit better.

Lets assume the customer is using Microsoft NPS as their RADIUS sever.

Current Setup

- In Microsoft NPS, the Cisco WLC is setup as a RADIUS client with a shared secret.

- In the WLC, the Microsoft NPS servers are setup as a RADIUS clients with the same shared secret.

 

When we move to Meraki 

 

Meraki Solution (assuming I have got this right)

- In the Meraki Dashboard, we would add the NPS servers as RADIUS clients (with a shared secret)

- In the NPS server, we will have to add every AP as a RADIUS client (with the same shared secret)

 

If the above is correct, then my next question is what is the recommendation for IP addressing the Access Points ?

We were designing all the AP’s to get an IP using DHCP (which I understand is the recommended best practice), but if we have to setup each AP in the NPS server as a RADIUS client, then the IP address needs to be static? Correct ?

1 ACCEPTED SOLUTION
wifijanitor
Meraki Employee
Meraki Employee

Running DHCP for the AP isn't a problem. As stated previously you can configure reservations for the AP so it will always get the same IP address. The problem is the need to define each AP as a NAS with an individual IP address.

 

What version of NPS are you running? There are versions that will allow you to configure a NAS IP address range:

https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-radius-clients-confi... 

 

 

View solution in original post

6 REPLIES 6
Brash
Kind of a big deal
Kind of a big deal

The only reason I can think of DHCP being recommended is for ease of initial configuration (zero touch deployment etc).

If you want to stick with DHCP IP's for the AP's, you've got a few options:
 - Create DHCP reservations for the AP's to ensure their IP remains consistent
 - Rather than adding individual addresses as NPS clients, add the entire Meraki AP management subnet

 

Of course, as you mentioned the other option is to use static IP's instead.

Thanks Brash.

as always appreciate your help 

WB
Building a reputation

We run this exact setup:

 

- From an IP perspective we have a standardised /2x subnet at each site that their local APs sit in

- NPS RADIUS Client entry at each site is just a single entry with the subnet + mask. This allows us to add APs in future without needing to amend NPS configs.

- APs pick up DHCP IPs and they do get reserved, however this is exclusively to avoid the scope being filled with BAD_ADDRESS entries if there is a future outage to the DHCP server.

 

In Meraki for each SSID we simply add the IP of the RADIUS Auth & Accounting servers to point to the relevant NPS server IPs on ports 1812 and 1813

 

Keep in mind with the single subnet RADIUS client entry, you won't see the AP names that your clients connect to in NPS logs under RADIUS Client > Client Friendly Name. You will only see the name of the entry you made in NPS settings.

Thanks WB

Good information 

wifijanitor
Meraki Employee
Meraki Employee

Running DHCP for the AP isn't a problem. As stated previously you can configure reservations for the AP so it will always get the same IP address. The problem is the need to define each AP as a NAS with an individual IP address.

 

What version of NPS are you running? There are versions that will allow you to configure a NAS IP address range:

https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-radius-clients-confi... 

 

 

Thanks wifijanotor. 

Exactly what you said, the issue we are trying address is the need to define each AP as a NAS client. 

I suppose IP range is the way to go here (provided the RADIUS server supports it)

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels