Meraki

Community

Enabling RADSEC causes AP to switch to TCP-1812 for Radius?

mak2018
Getting noticed
Friday
Friday

Enabling RADSEC causes AP to switch to TCP-1812 for Radius?

Can you have both a RADIUS and RADSEC server on a single SSID?  Before enabling RADSEC RADIUS auth worked over UDP/1812 but after enabling RADSEC RADIUS auth switched to TCP/1812 for the non-radsec enabled server.  I couldn't find mention of that in any of the documentation but google AI says this:

 

Key Aspects of Meraki RADSec Setup

Protocol: Converts standard UDP RADIUS traffic to TCP, protecting authentication and accounting messages from eavesdropping.

 

And confirmed via firewall logs:

 

radius-logs.png

 

 

 

 

0 Kudos
10 Replies 10
alemabrahao
Kind of a big deal
Kind of a big deal
Friday
Friday

You can configure both regular RADIUS (UDP/1812) and RADSec on the same SSID in Meraki, but not on the same server entry.

 

Meraki | RADIUSaaS

 

If you must keep one server on UDP/1812, the safest configuration is place legacy RADIUS servers on a different SSID, or move all servers to RadSec if possible.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
mak2018
Getting noticed
Friday
Friday

That is what we did and Meraki changed the port to TCP for regular RADIUS:

 

radius-meraki.png

 

And how come you have a link to RaiduSaaS, do you work for them? Only reason I ask is because that is what I am POC'ing with RadSec right now.

0 Kudos
In response to mak2018
alemabrahao
Kind of a big deal
Kind of a big deal
Friday
Friday

It is possible to configure, but not recommended.

If you must keep one server on UDP/1812, the safest configuration is place legacy RADIUS servers on a different SSID, or move all servers to RadSec if possible.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
mak2018
Getting noticed
Friday
Friday

I get what you are saying, just that is not expected behavior and nowhere is that stated via Meraki so was a surprise.  And it it contradicts what you originally said.  And I am just doing a POC so not trying to move all of this anywhere at this point. 

0 Kudos
In response to mak2018
alemabrahao
Kind of a big deal
Kind of a big deal
Friday
Friday

Remember, the SSID will respect the server list from top to bottom, so while the server above is responding, nothing will be forwarded to the server below. This explains the behavior.

Keep them on separate SSIDs and everything will be fine, or move everything to RadSec.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
alemabrahao
Kind of a big deal
Kind of a big deal
Friday
Friday

Strict Priority Order

The servers will always be contacted in the order listed in Dashboard. In the example given, that ordering is 1,2,3. That means that server 1 is always contacted first and server 2 will only be contacted if server 1 cannot be reached. Similarly, server 3 will only be contacted if neither server 1 nor server 2 can be reached.

 

https://documentation.meraki.com/Wireless/Design_and_Configure/Configuration_Guides/Encryption_and_A....

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to mak2018
alemabrahao
Kind of a big deal
Kind of a big deal
Friday
Friday

You asked if it was possible to configure it, and in fact it is, but whether it will actually work is another question. 😉

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to mak2018
alemabrahao
Kind of a big deal
Kind of a big deal
Friday
Friday

Another important detail: RadSec is TCP and regular Radius (port 1812) is UDP.

So, although you can configure both on the same SSID, it's recommended that you use one or the other, not both.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
mak2018
Getting noticed
Friday
Friday

My man I get all that but I am not doing top down, I am simply testing from the Meraki portal itself and enabling RadSec breaks/changes RADIUS if you have both configured on a single SSID.  

0 Kudos
In response to mak2018
alemabrahao
Kind of a big deal
Kind of a big deal
Friday
Friday

In short, what you want to do will not work.

 

Because when RADSec is enabled for any server on an SSID, the Meraki access point changes the transport mode for all RADIUS authentication to TCP instead of UDP.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
© 2026 Cisco Systems, Inc.