Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to simplify MR declaration in a radius Server ?

Solved
dimatt
Getting noticed
‎Oct 2 2023 1:34 AM
‎Oct 2 2023 1:34 AM

How to simplify MR declaration in a radius Server ?

Hello,

 

I have a Radius Server and lot of MR Access point.

 

Wifi is protected by Radius authentication.

 

All the AP have to be declared on the Radius Server for it to work.

 

How i can declare onfly one IP adresse for all the AP in the same network to simplify the radius configuration ?

 

I have seen some option like NAS ID, caller ID,...

 

Do you have any idea ?

 

Thanks.

0 Kudos
Subscribe
1 Accepted Solution
In response to DarrenOC
YoeriOppelaar1
Here to help
‎Oct 2 2023 4:10 AM
‎Oct 2 2023 4:10 AM

As mentioned by @DarrenOC, go for a per subnet radius client entry on you radius solution.
Radius attributes like NAS ID / Type etc...... cant be used for the authentication of the radius session itself, it will be used when the radius session correctly configured and working, mainly to filter client connection like SSID, connection speed, wireless capabilities, so you can make very specific authorization rules for the clients as radius results. 

 

The only way to use 1 IP for all clients, but in my not the way to go is place as close to the radius server a NAT device who translates al requests, but this makes troubleshooting a real pain in the....... ( to be filled in to you favorite 🙂

 

Also one common practice as we do a lot of Cisco Blue / Meraki or hybrid setups with radius ( mainly Cisco ISE), we make 2 mgmt vlans, one for the switches and other for the AP's per location, this to make the radius differences between types easier from ISE/Radius perspective. 

 

Hope this helps. if not let us know and help you further
with regards Yoeri

View solution in original post

Subscribe
7 Replies 7
DarrenOC
Kind of a big deal
Kind of a big deal
‎Oct 2 2023 2:01 AM
‎Oct 2 2023 2:01 AM

Instead of configuring each individual AP IP add the IP subnet.

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
Subscribe
In response to DarrenOC
ww
Kind of a big deal
Kind of a big deal
‎Oct 2 2023 2:08 AM
‎Oct 2 2023 2:08 AM

Yes, put all meraki hardware in the same vlan and add that subnet to the radius.

 

 

Another option is radius proxy

https://documentation.meraki.com/MR/Encryption_and_Authentication/RADIUS_Proxy_for_WPA2-Enterprise_S...

Subscribe
In response to DarrenOC
YoeriOppelaar1
Here to help
‎Oct 2 2023 4:10 AM
‎Oct 2 2023 4:10 AM

As mentioned by @DarrenOC, go for a per subnet radius client entry on you radius solution.
Radius attributes like NAS ID / Type etc...... cant be used for the authentication of the radius session itself, it will be used when the radius session correctly configured and working, mainly to filter client connection like SSID, connection speed, wireless capabilities, so you can make very specific authorization rules for the clients as radius results. 

 

The only way to use 1 IP for all clients, but in my not the way to go is place as close to the radius server a NAT device who translates al requests, but this makes troubleshooting a real pain in the....... ( to be filled in to you favorite 🙂

 

Also one common practice as we do a lot of Cisco Blue / Meraki or hybrid setups with radius ( mainly Cisco ISE), we make 2 mgmt vlans, one for the switches and other for the AP's per location, this to make the radius differences between types easier from ISE/Radius perspective. 

 

Hope this helps. if not let us know and help you further
with regards Yoeri

Subscribe
In response to YoeriOppelaar1
DarrenOC
Kind of a big deal
Kind of a big deal
‎Oct 2 2023 6:18 AM
‎Oct 2 2023 6:18 AM

@YoeriOppelaar1 Good idea on the dual mgmt VLANs 

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
0 Kudos
Subscribe
In response to YoeriOppelaar1
dimatt
Getting noticed
‎Oct 2 2023 11:43 PM
‎Oct 2 2023 11:43 PM

One dedicated vlan for the AP mgmt and declare the subnet on the radius server seem to be the best solution.

 

Thanks for your help.

0 Kudos
Subscribe
In response to DarrenOC
alemabrahao
Kind of a big deal
Kind of a big deal
‎Oct 4 2023 12:18 PM
‎Oct 4 2023 12:18 PM

I'm with @DarrenOC on this one.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
TBHPTL
A model citizen
‎Oct 2 2023 8:34 AM
‎Oct 2 2023 8:34 AM

With RADIUS Proxy

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.