Hotspot 2.0 RadSec Setup - Workaround for Third-Party Provided AAA

neuro
Comes here often

Hotspot 2.0 RadSec Setup - Workaround for Third-Party Provided AAA

I'm attempting to set up Hotspot 2.0 using RadSec on Meraki. The client I am working with provides the AAA server (Radiator) and has provided the CA certs, client cert, and client key. Radsec authentication is a requirement. The issue I am faced with is that they are opposed to importing each individual Meraki Org's CA root certificate to their radius server.

 

I am wondering what possible workarounds are available to accomplish this task. Radsecproxy is an option, but is less than ideal for this scenario.

 

Yes, I've opened a case with TAC some time ago and I got the standard answer from the docs. I understand that this is typically not how RadSec is set up. However, I've been able to accomplish this with other vendors. I'm intimately familiar with Meraki wireless (two years installing Meraki solutions for recognized brands at an MSP). I also have a decent understanding of PKIs/Cert based auth, but am by no means an expert. Perhaps I am overlooking something relatively obvious here.

 

 

With all that, I'd like to express my appreciation to those of you who took the time to read this post. Thank you!

 

https://documentation.meraki.com/MR/Encryption_and_Authentication/MR_RADSec

1 Reply 1
alemabrahao
Kind of a big deal
Kind of a big deal

If your client is opposed to importing each individual Meraki Org's CA root certificate, you could explore the possibility of using an intermediate CA. This way, you can have a single intermediate CA that is trusted by both the Meraki Org and the AAA server. This might simplify the certificate management process.

 

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels