Radius Authentication via Access Points

Captain
Getting noticed

Radius Authentication via Access Points

Hi,

 

We have a "special" setup for one of our sites which have its clients (PCs) connecting through the wifi using radius authentication.

The radius server is physically located at the same site with the clients that try to authenticate. 

 

The traffic flow for all auth requests goes like: 

 Client (PC) -> AP -> MX -> WWW -> Meraki Cloud

                    -> Meraki Cloud-> MX -> Radius server

 

We are concerned about security as some of the packets (UDP 1812) might be intercepted somewhere in between the Meraki Cloud to MX and EAP packets are not encrypted. 


I would like to know:

1. The radius packets sent to Meraki Cloud and back to MX are encrypted? 
    It makes sense that all the traffic that is being sent between MX <> Meraki Cloud is encapsulated and encrypted 
    But I don't know for sure and maybe as these are UDP1812 they are excluded from being included in the encapsulation?
   My question is - is this setup secure or not? 

2. Is it possible not to send the packets from APs -> Meraki Cloud just for them to reach back to the inside LAN where the Radius server is? 
MF-1-Radius-Auth.png

RADIUS Proxy for WPA2-Enterprise SSIDs - Cisco Meraki Documentation


Regards,

4 Replies 4
RaphaelL
Kind of a big deal
Kind of a big deal

Hi ,

 

Is there a good reason why you are using RADIUS proxy ? 

 

Wouldn't it be easier to use your own RADIUS servers without a proxy ?

Captain
Getting noticed

Hi RaphaeIL,

Thanks a lot for your quick response!

 

We actually do have the Radius servers on the same premise as the clients are.
When we tried at the beginning to forward all traffic from the access points directly to the radius servers on premise it didn't work. I figured out that as the access points are "reporting" everything to the Meraki Cloud it has to flow through the Meraki Cloud, and then from there back to the site (and it worked fine so far). 

Apparently, it can be done without Meraki Cloud as a proxy, and now I'd like to understand how to actually have ut corrected. 

If I change the radius servers ip addresses to point to the servers private ip addresses, then the traffic will never need to traverse through WAN to reach over back again to the local network.

 

But then how does the access points will be able to reach the radius servers lan?
Both the radius servers and the APs are on different management networks.

For instance, let's say that

 the access points are on network 192.168.128.0/24 - VLAN X.

 and the radius servers are on network 10.1.1.0/24 - VLAN Y.

 both of the vlans are defined on the MX addressing and vlans and have gateways. 

Adding routing rules / group policies to allow intervlan routing? Where? How?

 

 

Nowadays 

Captain_1-1724254212107.png

 

Private IPs in inside lan

Captain_0-1724254086660.png

 

Best Regards,

RaphaelL
Kind of a big deal
Kind of a big deal

Hi ,

 

But then how does the access points will be able to reach the radius servers lan?
Both the radius servers and the APs are on different management networks.

For instance, let's say that

 the access points are on network 192.168.128.0/24 - VLAN X.

 and the radius servers are on network 10.1.1.0/24 - VLAN Y.

 both of the vlans are defined on the MX addressing and vlans and have gateways. 

 

Yes the AP and the RADIUS server(s) need to have IP reachability. 

 

Is the routing done by a MX / MS or something else ? if so you have to make sure that inter-vlan routing is enabled and that UDP 1812-1813 is allowed between these vlans/endpoints.

KarstenI
Kind of a big deal
Kind of a big deal

As @RaphaelL says. The typical use-case for the RADIUS-Proxy is if you have branches that don't have IP connectivity to a central RADIUS server.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
Get notified when there are additional replies to this discussion.