cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

What source IP addresses (or domains) will attempt to connect to my RADIUS server?

New here

What source IP addresses (or domains) will attempt to connect to my RADIUS server?

Hello:

 

My corporate office is attempting to set up a FreeRADIUS authenticated server that draws its credentials from an LDAP server. The LDAP side of things is configured and functioning properly, however, due to security concerns, we do not wish to open port 1812 to the entire open internet.

 

What will the source address be for these requests? In the firewall page, it indicates that port 1812/UDP must be opened - who exactly are we opening it to? I have tried for several hours now to find documentation that gives some indication as to what external source is required in this instance.

 

I am having trouble getting the RADIUS server to authenticate with the Meraki Cloud access points. Does Cisco actually force this port to be open to 0.0.0.0? And why is this required?

 

Thanks

James Mattison

5 REPLIES 5
Meraki Employee

Re: What source IP addresses (or domains) will attempt to connect to my RADIUS server?

Please find the IP addresses at Help --> Firewall info on the dashboard.

New here

Re: What source IP addresses (or domains) will attempt to connect to my RADIUS server?

Correct - that gives me the address that the Cloud needs access to. I need to know, from the point of view of the RADIUS server itself, what IP addresses (that are not from our network, ie external) need to be allowed access on this particular port? What I mean is, it is telling me to set the firewall to open port 1812 externally, allowing access to that IP address. I need to know where this external traffic  is going to originate from.

Head in the Cloud

Re: What source IP addresses (or domains) will attempt to connect to my RADIUS server?

Hi James,

 

I understand the "Dashboard" ex. "https://n69.meraki.com" in my case will talk to Radius Server.

 

Radius.PNG

 

Note : This is only in the case if you are planning to host a "Captive Portal" for on boarding users.

 

If you are looking forward to onboard "Corporate Users" via WPA2-Enterprise I believe we do not have to expose our Radius Server to Public. Most of the times I see Corporate Users are "on boarded" via WPA2-Enterprise unless you have a different need.

 

Radius Access Control.PNG

 

Also "Firewall Info" do shares the desired IPs to be allowed.

 

Firewall Rules.PNG

 

Cheers
Ajit
ajitsnw@gmail.com
https://www.linkedin.com/in/ajitkumarverma/
Kind of a big deal

Re: What source IP addresses (or domains) will attempt to connect to my RADIUS server?

The firewall info page has the answer, as shown in @AjitKumar screenshot.

 

Note the IP subnets might be different for your Meraki organisation so don't copy the screenshot.

Building a reputation

Re: What source IP addresses (or domains) will attempt to connect to my RADIUS server?

I don't think anyone has mentioned the impact of the "RADIUS Proxy" setting on the Access Control Configuration page.

 

If you do not use RADIUS Proxy, I believe the RADIUS messages will originate from the management interface of each access point.

 

If you do use RADIUS Proxy, the messages will originate from Meraki cloud as indicated on the firewall info page.

 

In one of my networks where I use RADIUS proxy, the firewall info page shows a line for port 1812 where the source IP contains three networks (two /24 and one /20).  The destination IP shows the addresses of my two RADIUS servers.  When I did the initial setup, I added the three Meraki-provided CIDR ranges as allowed clients in my RADIUS configuration.

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.