My corporate office is attempting to set up a FreeRADIUS authenticated server that draws its credentials from an LDAP server. The LDAP side of things is configured and functioning properly, however, due to security concerns, we do not wish to open port 1812 to the entire open internet.
What will the source address be for these requests? In the firewall page, it indicates that port 1812/UDP must be opened - who exactly are we opening it to? I have tried for several hours now to find documentation that gives some indication as to what external source is required in this instance.
I am having trouble getting the RADIUS server to authenticate with the Meraki Cloud access points. Does Cisco actually force this port to be open to 0.0.0.0? And why is this required?
Please find the IP addresses at Help --> Firewall info on the dashboard.
Correct - that gives me the address that the Cloud needs access to. I need to know, from the point of view of the RADIUS server itself, what IP addresses (that are not from our network, ie external) need to be allowed access on this particular port? What I mean is, it is telling me to set the firewall to open port 1812 externally, allowing access to that IP address. I need to know where this external traffic is going to originate from.
I understand the "Dashboard" ex. "https://n69.meraki.com" in my case will talk to Radius Server.
Note : This is only in the case if you are planning to host a "Captive Portal" for on boarding users.
If you are looking forward to onboard "Corporate Users" via WPA2-Enterprise I believe we do not have to expose our Radius Server to Public. Most of the times I see Corporate Users are "on boarded" via WPA2-Enterprise unless you have a different need.
Also "Firewall Info" do shares the desired IPs to be allowed.
The firewall info page has the answer, as shown in @AjitKumar screenshot.
Note the IP subnets might be different for your Meraki organisation so don't copy the screenshot.
I don't think anyone has mentioned the impact of the "RADIUS Proxy" setting on the Access Control Configuration page.
If you do not use RADIUS Proxy, I believe the RADIUS messages will originate from the management interface of each access point.
If you do use RADIUS Proxy, the messages will originate from Meraki cloud as indicated on the firewall info page.
In one of my networks where I use RADIUS proxy, the firewall info page shows a line for port 1812 where the source IP contains three networks (two /24 and one /20). The destination IP shows the addresses of my two RADIUS servers. When I did the initial setup, I added the three Meraki-provided CIDR ranges as allowed clients in my RADIUS configuration.