I would like to use Radius proxy feature for 802.1X authentication.
I have a NPS running this in my network, so for sites connected with a VPN, no issue.
However, I have some site with no VPN, with a small private network connected directly on internet. I want them to use a Meraki AP with same SSID and same credential as in head office.
Radius Proxy seems to be great solution, but I need to open my radius to internet, and security team will reject such request until I give the right answer. So, is it secure to do this ? Anyone of you put it in prod over dozen of countries or remote branch office?
Documentation leads me to believe that you could setup the SSID on the remote network MR to be VPN concentrated and as such pass the authentication on to the main network through it's MX. However, that would pass your remote network traffic on that SSID through the main network MX as well, no? I would also be curious to see any answers on opening RADIUS up to the internet as I have no experience with this.
I wouldn't want to expose my RADIUS server to the Internet either.
If you do enable the RADIUS proxy feature then if you go Help/Firewall Info it will tell you the firewall rules you need to add.
To get the valid firewall info you need to enable Radius on a "splash page", otherwise it give you your own network as source and your own IP (Public or Private) as destination. I got it by opening a case, they discover it was not handle by the choice of "Use Meraki Proxy" but only for the splash option.