SSID Tunneling Radius Interface

Solved
Stefan_Zuber
Here to help

SSID Tunneling Radius Interface

Hello,

when a SSID is tunneled in L3 roaming mode to a concentrator, the concentrator acts as Radius authenticator. Which will be the source interface / IP of the Radius requests? Is it the WAN IP of the concentrator (in routed mode)? Or is it the Vlan IP and with multiple Vlan‘s are different source IP‘s?used?


Many thanks for your help!

1 Accepted Solution
a5it
Getting noticed

When an SSID is tunneled in Layer 3 (L3) roaming mode to a concentrator (like a Meraki MX security appliance or another wireless access point), the concentrator indeed acts as the RADIUS authenticator.

 

The source IP address of the RADIUS requests in this scenario is typically the IP address of the concentrator's Internet-facing interface (WAN IP). This is because the concentrator is the device interfacing directly with the RADIUS server over the network.

 

However, the exact behavior may depend on the specific configuration and features of the concentrator. For example, if the concentrator supports multiple VLANs and is configured to use a different source IP for each VLAN, then it could potentially use different source IPs for RADIUS requests coming from different VLANs. But this would typically require specific configuration and is not the default behavior.

View solution in original post

8 Replies 8
a5it
Getting noticed

When an SSID is tunneled in Layer 3 (L3) roaming mode to a concentrator (like a Meraki MX security appliance or another wireless access point), the concentrator indeed acts as the RADIUS authenticator.

 

The source IP address of the RADIUS requests in this scenario is typically the IP address of the concentrator's Internet-facing interface (WAN IP). This is because the concentrator is the device interfacing directly with the RADIUS server over the network.

 

However, the exact behavior may depend on the specific configuration and features of the concentrator. For example, if the concentrator supports multiple VLANs and is configured to use a different source IP for each VLAN, then it could potentially use different source IPs for RADIUS requests coming from different VLANs. But this would typically require specific configuration and is not the default behavior.

alemabrahao
Kind of a big deal
Kind of a big deal

ChatGPT again?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Stefan_Zuber
Here to help

Do you mean the answer is wrong or just fake?

a5it
Getting noticed

Hi Stefan_Zuber,

 

We're powered by A5 IT AI. We trained our system to respond to all tech troubleshooting.

 

Thank you,


Nick Pitzaferro

 

rhbirkelund
Kind of a big deal
Kind of a big deal

When the SSID is in tunnel mode - either Layer 3 roaming or VPN, RADIUS is sourced from the MX vlan IP and forwarded out the WAN interface, regardless if you have more specific entries in the routing table. 

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
Stefan_Zuber
Here to help

Can this behaviour be changed? Alternate Management Interface etc.?

rhbirkelund
Kind of a big deal
Kind of a big deal

Nope. Supports recommendation is to move the MX to Passthrough Mode, instead of routed.

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
Stefan_Zuber
Here to help

We have done some packet captures. The source interface of the radius requests was the WAN interface, not the L3 vlan interface.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels