cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

captive portal authentication with radius (local)

SOLVED
Comes here often

captive portal authentication with radius (local)

We are making a design to authenticate guest users via captive portal. The guest account has been created by de sponsor portal of Cisco ISE.

 

Unfortunately, the captive portal is hosted in the cloud and authentication(validation) of the connected user is done via Radius (port 1812). The radius packet is traversing over the internet from Meraki cloud to our internal Cisco ISE nodes, but this is unsafe.

 

Do somebody has a implementation which maybe is convenient for us too?

 

^Rob

1 ACCEPTED SOLUTION

Accepted Solutions
Meraki Employee

Re: captive portal authentication with radius (local)

Hi @RobHuijser ,

 

Radius only encrypts the password section of the packet. Other information, such as username, authorized services, and accounting, can be captured by a third party. the best recommendation is to deploy the authentication server on-premises or over a VPN than putting it out on the Internet. Many cloud hosters like AWS, Azure, and Google provide IPsec VPN services, it is worth to establish a VPN tunnel to secure the packets.

 

Otherwise, you can leverage something like TACACS which will encrypt the entire packet, unlike Radius.

 

Cheers!

 

Raj

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it
1 REPLY 1
Meraki Employee

Re: captive portal authentication with radius (local)

Hi @RobHuijser ,

 

Radius only encrypts the password section of the packet. Other information, such as username, authorized services, and accounting, can be captured by a third party. the best recommendation is to deploy the authentication server on-premises or over a VPN than putting it out on the Internet. Many cloud hosters like AWS, Azure, and Google provide IPsec VPN services, it is worth to establish a VPN tunnel to secure the packets.

 

Otherwise, you can leverage something like TACACS which will encrypt the entire packet, unlike Radius.

 

Cheers!

 

Raj

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.