RadSec support for RADIUS Proxy

ibrugnolli
Comes here often

RadSec support for RADIUS Proxy

Hi,

 

We saw that RADSec support was introduced in MR firmware 30.X, when the MR is the authenticator in the 802.1x process.

 

Do we have any plans to support RadSec for the Radius Proxy option (when the Meraki Cloud is the authenticator) ?

 

Best Regards.

 

Ivan Brugnolli

 

2 Replies 2
alemabrahao
Kind of a big deal
Kind of a big deal

I'm sorry, but correct me if I'm wrong, but to use Radius Proxy on Meraki, your server needs to be accessible via the internet.

What is the advantage of exposing your server to the internet? It's a bit insecure, isn't it? Even if you only allow specific origins, I don't see it as a good idea.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
ibrugnolli
Comes here often

There are some scenarios where customer has larger number of MR's that have to be installed and require SSIDs with WPA2-Enterprise RADIUS authentication. These devices could be spread around different networks, and it becomes an issue to add all of these access points as individual clients in the RADIUS server.

Radius Proxy provides an alternative approach to fit this use case. In such situations, a RADIUS proxy can be set up such that instead of adding the access points as individual clients, dashboard IP ranges can be used.

 

https://documentation.meraki.com/MR/Encryption_and_Authentication/RADIUS_Proxy_for_WPA2-Enterprise_S...

 

The RADIUS proxy feature allows for the use of the Meraki cloud as the source of RADIUS Access-Request messages instead of the access points themselves. This means that the RADIUS server should be configured to allowlist the Meraki cloud communication and Backup Meraki cloud communication IP ranges found under Help > Firewall info on the dashboard instead of adding individual access points as clients.

 

You don't need to fully expose your Radius server to the internet. Your Radius server could stay protected behind a NG-FW, you just need to allow UDP port 1812 incoming packets from those specifics IP address sources provides by the Meraki Dashboard (Help > Firewall info)

 

The major problem with this solution is that the regular Radius messages over UDP protocol are not encrypted. So, if the Dashboard supports RadSec, this could solve the confidentiality issue.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels