Meraki

Alexs20 · ‎Aug 23 2023

Hi,

Assuming that I have one AP connected to Meraki cloud, with "MAC-based access control (no encryption)" security mode enabled.

I also have "RADIUS CoA support" option enabled.

What is the destination IP for CoA messages? Is it the same as Meraki console FQDN?

Thanks

PhilipDAth · ‎Aug 23 2023

I don't know the answer - but surely it would be it would be the source of the original RADIUS request - the AP itself.

Alexs20 · ‎Aug 23 2023

That means that I cannot use external RADIUS server (means hosted in internet) as AP sits behind the firewall.

Hmmm, ok, thanks.

Brash · ‎Aug 23 2023

Similar to @PhilipDAth, I also don't know the answer but I think you're right.
CoA would require the RADIUS server sending a request to the AP which isn't really possible without an inbound NAT or proxy.

I initially thought you could look at using the Meraki RADIUS proxy but it doesn't support CoA.

Alexs20 · ‎Aug 24 2023

Looks like I need a little more help.

So, I am trying to talk to AP using radclient utility

my command is

echo '
Calling-Station-Id = "<MAC redacted>"
NAS-IP-Address = 192.168.2.224
Filter-Id = "PASS"
Event-Timestamp = "1692895863"
cisco-avpair="subscriber:command=reauthenticate"
cisco-avpair="subscriber:reauthenticate-type=rerun"
' | radclient -x 192.168.2.224:3799 coa <secret redacted>

But there is nothing coming back.

192.168.2.224 - is IP of my AP and this is what i see in Access-Request message when connecting to SSID

Any ideas?

Thanks

Alexs20 · ‎Aug 24 2023

oh, NM, I found the problem. I had to add my PC IP into the list of radius servers

Meraki

Community

COA destination IP

COA destination IP