Meraki

Community

SSID Tunneling Radius Interface

Solved
Stefan_Zuber
Here to help
‎May 16 2023 4:42 PM
‎May 16 2023 4:42 PM

SSID Tunneling Radius Interface

Hello,

when a SSID is tunneled in L3 roaming mode to a concentrator, the concentrator acts as Radius authenticator. Which will be the source interface / IP of the Radius requests? Is it the WAN IP of the concentrator (in routed mode)? Or is it the Vlan IP and with multiple Vlan‘s are different source IP‘s?used?


Many thanks for your help!

0 Kudos
1 Accepted Solution
a5it
Getting noticed
‎May 16 2023 4:55 PM
‎May 16 2023 4:55 PM

When an SSID is tunneled in Layer 3 (L3) roaming mode to a concentrator (like a Meraki MX security appliance or another wireless access point), the concentrator indeed acts as the RADIUS authenticator.

 

The source IP address of the RADIUS requests in this scenario is typically the IP address of the concentrator's Internet-facing interface (WAN IP). This is because the concentrator is the device interfacing directly with the RADIUS server over the network.

 

However, the exact behavior may depend on the specific configuration and features of the concentrator. For example, if the concentrator supports multiple VLANs and is configured to use a different source IP for each VLAN, then it could potentially use different source IPs for RADIUS requests coming from different VLANs. But this would typically require specific configuration and is not the default behavior.

View solution in original post

8 Replies 8
a5it
Getting noticed
‎May 16 2023 4:55 PM
‎May 16 2023 4:55 PM

When an SSID is tunneled in Layer 3 (L3) roaming mode to a concentrator (like a Meraki MX security appliance or another wireless access point), the concentrator indeed acts as the RADIUS authenticator.

 

The source IP address of the RADIUS requests in this scenario is typically the IP address of the concentrator's Internet-facing interface (WAN IP). This is because the concentrator is the device interfacing directly with the RADIUS server over the network.

 

However, the exact behavior may depend on the specific configuration and features of the concentrator. For example, if the concentrator supports multiple VLANs and is configured to use a different source IP for each VLAN, then it could potentially use different source IPs for RADIUS requests coming from different VLANs. But this would typically require specific configuration and is not the default behavior.

In response to a5it
alemabrahao
Kind of a big deal
Kind of a big deal
‎May 16 2023 5:02 PM
‎May 16 2023 5:02 PM

ChatGPT again?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Stefan_Zuber
Here to help
‎May 16 2023 9:51 PM
‎May 16 2023 9:51 PM

Do you mean the answer is wrong or just fake?

0 Kudos
In response to Stefan_Zuber
a5it
Getting noticed
‎May 18 2023 9:17 PM
‎May 18 2023 9:17 PM

Hi Stefan_Zuber,

 

We're powered by A5 IT AI. We trained our system to respond to all tech troubleshooting.

 

Thank you,


Nick Pitzaferro

 

0 Kudos
rhbirkelund
Kind of a big deal
Kind of a big deal
‎May 16 2023 10:47 PM
‎May 16 2023 10:47 PM

When the SSID is in tunnel mode - either Layer 3 roaming or VPN, RADIUS is sourced from the MX vlan IP and forwarded out the WAN interface, regardless if you have more specific entries in the routing table. 

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
0 Kudos
In response to rhbirkelund
Stefan_Zuber
Here to help
‎May 16 2023 10:57 PM
‎May 16 2023 10:57 PM

Can this behaviour be changed? Alternate Management Interface etc.?

0 Kudos
In response to Stefan_Zuber
rhbirkelund
Kind of a big deal
Kind of a big deal
‎May 16 2023 11:08 PM
‎May 16 2023 11:08 PM

Nope. Supports recommendation is to move the MX to Passthrough Mode, instead of routed.

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
0 Kudos
Stefan_Zuber
Here to help
‎May 21 2023 11:12 PM
‎May 21 2023 11:12 PM

We have done some packet captures. The source interface of the radius requests was the WAN interface, not the L3 vlan interface.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.