Wireless RADIUS concentrator

SOLVED
Billy
Getting noticed

Wireless RADIUS concentrator

I have a network consisting of a few sites connected through VPN (Hub/Spoke) with several access points and I want to provide certificate based authentication for a specific SSID through the NPS server.

 

Having to configure several IPs as a source on the NPS server is quite time consuming, enabling the Meraki's RADIUS proxy and exposing the server to the internet is definitely not the best option and using a Wireless Concentrator and driving all of the wireless traffic to a single point would result in a non-optimal bandwidth utilization.

 

Is there any way, or any plans to implement a way of using a single source for all those RADIUS requests? The ability of configuring one of the MX devices as a RADIUS proxy would be a nice feature

1 ACCEPTED SOLUTION
PhilipDAth
Kind of a big deal
Kind of a big deal

If you are using an NPS server as a remote proxy for the additional SSID, then all those requests will come from one IP address - that of the remote NPS proxy server.

View solution in original post

4 REPLIES 4
PhilipDAth
Kind of a big deal
Kind of a big deal

Did you know you can specify a prefix instead of an individual IP address in NPS?  For example, you can use 192.168.0.0/16 to represent a huge number of access points - with a single client entry.


@PhilipDAth wrote:

Did you know you can specify a prefix instead of an individual IP address in NPS?  For example, you can use 192.168.0.0/16 to represent a huge number of access points - with a single client entry.


The certificate based authentication is tested and works, however I'd rather not go with a generic /16 definition as a source.

 

Furthermore, there is an additional SSID that authenticates in NPS servers that I don't manage and pass through firewalls that I also don't manage (merged companies). From a security compliance perspective, there's no way that a /16 definition would be accepted.

 

 

PhilipDAth
Kind of a big deal
Kind of a big deal

If you are using an NPS server as a remote proxy for the additional SSID, then all those requests will come from one IP address - that of the remote NPS proxy server.

PhilipDAth
Kind of a big deal
Kind of a big deal

Also did you know if you use Systems Manager you can have it deploy a certificate automatically on each machine, for certificate based authentication, and you don't even need NPS?  Considering how cheap Systems Manager is - this is quite a good option.  WiFi authentication is no longer dependent on any of your infrastructure.

 

https://documentation.meraki.com/MR/Encryption_and_Authentication/Certificate-based_WiFi_authenticat...

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels