captive portal authentication with radius (local)

SOLVED
RobHuijser
Getting noticed

captive portal authentication with radius (local)

We are making a design to authenticate guest users via captive portal. The guest account has been created by de sponsor portal of Cisco ISE.

 

Unfortunately, the captive portal is hosted in the cloud and authentication(validation) of the connected user is done via Radius (port 1812). The radius packet is traversing over the internet from Meraki cloud to our internal Cisco ISE nodes, but this is unsafe.

 

Do somebody has a implementation which maybe is convenient for us too?

 

^Rob

1 ACCEPTED SOLUTION
Raj66
Meraki Employee
Meraki Employee

Hi @RobHuijser ,

 

Radius only encrypts the password section of the packet. Other information, such as username, authorized services, and accounting, can be captured by a third party. the best recommendation is to deploy the authentication server on-premises or over a VPN than putting it out on the Internet. Many cloud hosters like AWS, Azure, and Google provide IPsec VPN services, it is worth to establish a VPN tunnel to secure the packets.

 

Otherwise, you can leverage something like TACACS which will encrypt the entire packet, unlike Radius.

 

Cheers!

 

Raj

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it

View solution in original post

1 REPLY 1
Raj66
Meraki Employee
Meraki Employee

Hi @RobHuijser ,

 

Radius only encrypts the password section of the packet. Other information, such as username, authorized services, and accounting, can be captured by a third party. the best recommendation is to deploy the authentication server on-premises or over a VPN than putting it out on the Internet. Many cloud hosters like AWS, Azure, and Google provide IPsec VPN services, it is worth to establish a VPN tunnel to secure the packets.

 

Otherwise, you can leverage something like TACACS which will encrypt the entire packet, unlike Radius.

 

Cheers!

 

Raj

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels