There are some scenarios where customer has larger number of MR's that have to be installed and require SSIDs with WPA2-Enterprise RADIUS authentication. These devices could be spread around different networks, and it becomes an issue to add all of these access points as individual clients in the RADIUS server.
Radius Proxy provides an alternative approach to fit this use case. In such situations, a RADIUS proxy can be set up such that instead of adding the access points as individual clients, dashboard IP ranges can be used.
https://documentation.meraki.com/MR/Encryption_and_Authentication/RADIUS_Proxy_for_WPA2-Enterprise_S...
The RADIUS proxy feature allows for the use of the Meraki cloud as the source of RADIUS Access-Request messages instead of the access points themselves. This means that the RADIUS server should be configured to allowlist the Meraki cloud communication and Backup Meraki cloud communication IP ranges found under Help > Firewall info on the dashboard instead of adding individual access points as clients.
You don't need to fully expose your Radius server to the internet. Your Radius server could stay protected behind a NG-FW, you just need to allow UDP port 1812 incoming packets from those specifics IP address sources provides by the Meraki Dashboard (Help > Firewall info)
The major problem with this solution is that the regular Radius messages over UDP protocol are not encrypted. So, if the Dashboard supports RadSec, this could solve the confidentiality issue.