How to simplify MR declaration in a radius Server ?

Solved
dimatt
Getting noticed

How to simplify MR declaration in a radius Server ?

Hello,

 

I have a Radius Server and lot of MR Access point.

 

Wifi is protected by Radius authentication.

 

All the AP have to be declared on the Radius Server for it to work.

 

How i can declare onfly one IP adresse for all the AP in the same network to simplify the radius configuration ?

 

I have seen some option like NAS ID, caller ID,...

 

Do you have any idea ?

 

Thanks.

1 Accepted Solution

As mentioned by @DarrenOC, go for a per subnet radius client entry on you radius solution.
Radius attributes like NAS ID / Type etc...... cant be used for the authentication of the radius session itself, it will be used when the radius session correctly configured and working, mainly to filter client connection like SSID, connection speed, wireless capabilities, so you can make very specific authorization rules for the clients as radius results. 

 

The only way to use 1 IP for all clients, but in my not the way to go is place as close to the radius server a NAT device who translates al requests, but this makes troubleshooting a real pain in the....... ( to be filled in to you favorite 🙂

 

Also one common practice as we do a lot of Cisco Blue / Meraki or hybrid setups with radius ( mainly Cisco ISE), we make 2 mgmt vlans, one for the switches and other for the AP's per location, this to make the radius differences between types easier from ISE/Radius perspective. 

 

Hope this helps. if not let us know and help you further
with regards Yoeri

View solution in original post

7 Replies 7
DarrenOC
Kind of a big deal
Kind of a big deal

Instead of configuring each individual AP IP add the IP subnet.

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
ww
Kind of a big deal
Kind of a big deal

Yes, put all meraki hardware in the same vlan and add that subnet to the radius.

 

 

Another option is radius proxy

https://documentation.meraki.com/MR/Encryption_and_Authentication/RADIUS_Proxy_for_WPA2-Enterprise_S...

As mentioned by @DarrenOC, go for a per subnet radius client entry on you radius solution.
Radius attributes like NAS ID / Type etc...... cant be used for the authentication of the radius session itself, it will be used when the radius session correctly configured and working, mainly to filter client connection like SSID, connection speed, wireless capabilities, so you can make very specific authorization rules for the clients as radius results. 

 

The only way to use 1 IP for all clients, but in my not the way to go is place as close to the radius server a NAT device who translates al requests, but this makes troubleshooting a real pain in the....... ( to be filled in to you favorite 🙂

 

Also one common practice as we do a lot of Cisco Blue / Meraki or hybrid setups with radius ( mainly Cisco ISE), we make 2 mgmt vlans, one for the switches and other for the AP's per location, this to make the radius differences between types easier from ISE/Radius perspective. 

 

Hope this helps. if not let us know and help you further
with regards Yoeri

@YoeriOppelaar1 Good idea on the dual mgmt VLANs 

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.

One dedicated vlan for the AP mgmt and declare the subnet on the radius server seem to be the best solution.

 

Thanks for your help.

I'm with @DarrenOC on this one.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
TBHPTL
A model citizen

With RADIUS Proxy

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels