Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Splash + Radius and Multi store locations - questions

Solved
rrocha
Getting noticed
‎Feb 21 2018 9:29 AM
‎Feb 21 2018 9:29 AM

Splash + Radius and Multi store locations - questions

Hello Friends,

I am responsable to desing network diagram situation where will be a lot of differente stores with each one with its own internet connection, and I would like to understand this cenario when using splash page + Radius Auth(with a connection to a central databank).

Who is gonna ask the server Radius the infos (who will be the NAS for all the diferents stores) ?
I need my Radius exposed with a public IP or redirect ports within my firewall ?
If the stores don't have the fixed IP,  How I will add the Acess Point as valid clients Radius ?

0 Kudos
Subscribe
1 Accepted Solution
In response to rrocha
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Feb 21 2018 2:09 PM
‎Feb 21 2018 2:09 PM

The cloud will act as a NAS client, sending requests to your RADIUS server.  You server then sends back accept or reject messages to allow or deny access.

 

We are talking about guest WiFi with a splash page here.  The AP is not authenticating the user.  The AP will not be talking to your RADIUS server.  The Meraki cloud is the only thing that will be sending RADIUS messages to you.

View solution in original post

Subscribe
8 Replies 8
Adam
Kind of a big deal
‎Feb 21 2018 1:06 PM
‎Feb 21 2018 1:06 PM

If the locations have an MX they can do a VPN tunnel back to your core where the Radius server lives.  Then you can give the APs static LAN IPs to use to add to RADIUS.  Should be more secure to keep all that sensitive traffic in a tunnel vs traversing the internet. 

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
0 Kudos
Subscribe
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Feb 21 2018 1:18 PM
‎Feb 21 2018 1:18 PM

The answer is "it depends".

 

You will often need a RADIUS server that is connected to the Internet.  Have a read over this guide on creating custom captive portals (or are going to use a custom portal - or a built in one?)

 

 

https://meraki.cisco.com/lib/pdf/meraki_whitepaper_captive_portal.pdf

0 Kudos
Subscribe
In response to PhilipDAth
rrocha
Getting noticed
‎Feb 21 2018 1:47 PM
‎Feb 21 2018 1:47 PM

I dont know if will be there a tunnel, but probably it will not have a MX on each store.
I am thinking of using the Meraki as the splash page(built-in), tweak it to look nice(and have  the meraki cloud infra to sustain a page to me is better) and have it asking a Radius that will be talking to somekind of SQL database probably.

So, based on what you guys answered is as I expected, the NAS cliente will not be the Meraki cloud portal.Yes ?


So without VPN, this kind of deployment is possible ? Need the Fixed IP, Redirects Ports or the Radius having a public address...???

0 Kudos
Subscribe
In response to rrocha
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Feb 21 2018 1:51 PM
‎Feb 21 2018 1:51 PM

In this case, the NAS client will be the Meraki Cloud, and the cloud will need to be able to talk to your RADIUS server over the Internet.  Consequently your RADIUS server would have to be accessible via a public IP address.

0 Kudos
Subscribe
In response to PhilipDAth
rrocha
Getting noticed
‎Feb 21 2018 2:00 PM
‎Feb 21 2018 2:00 PM

Philip,

How I say/set that the meraki cloud will be my central NAS device ??

Or  its by default (and i really didn't understand before)?

Like, when I have the Radius and Access Points on the same/routable network, I needed to add the APs as the NAS clients themselves( i dont remember if there was a Radius proxy/concentrator in the meraki configuration), I did never have to do something to make my Radius talk to the Meraki cloud.

.

0 Kudos
Subscribe
In response to rrocha
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Feb 21 2018 2:09 PM
‎Feb 21 2018 2:09 PM

The cloud will act as a NAS client, sending requests to your RADIUS server.  You server then sends back accept or reject messages to allow or deny access.

 

We are talking about guest WiFi with a splash page here.  The AP is not authenticating the user.  The AP will not be talking to your RADIUS server.  The Meraki cloud is the only thing that will be sending RADIUS messages to you.

Subscribe
In response to PhilipDAth
rrocha
Getting noticed
‎Feb 21 2018 2:17 PM
‎Feb 21 2018 2:17 PM

Thanks Philip !!!

 

I didn't know that there was a difference on the NAS thing between WPA2-Enterprise and the Splash page when using the cloud to host it 😄

0 Kudos
Subscribe
In response to rrocha
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Feb 21 2018 2:35 PM
‎Feb 21 2018 2:35 PM

Here is a specific configuration guide covering what you are doing.

 

https://documentation.meraki.com/MR/Splash_Page/Configuring_RADIUS_Authentication_with_a_Sign-on_Spl...

Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.