Meraki

Community

What source IP addresses (or domains) will attempt to connect to my RADIUS server?

jamesmattison
New here
‎Aug 8 2019 3:31 PM
‎Aug 8 2019 3:31 PM

What source IP addresses (or domains) will attempt to connect to my RADIUS server?

Hello:

 

My corporate office is attempting to set up a FreeRADIUS authenticated server that draws its credentials from an LDAP server. The LDAP side of things is configured and functioning properly, however, due to security concerns, we do not wish to open port 1812 to the entire open internet.

 

What will the source address be for these requests? In the firewall page, it indicates that port 1812/UDP must be opened - who exactly are we opening it to? I have tried for several hours now to find documentation that gives some indication as to what external source is required in this instance.

 

I am having trouble getting the RADIUS server to authenticate with the Meraki Cloud access points. Does Cisco actually force this port to be open to 0.0.0.0? And why is this required?

 

Thanks

James Mattison

0 Kudos
5 Replies 5
Seshu
Meraki Employee
Meraki Employee
‎Aug 8 2019 3:41 PM
‎Aug 8 2019 3:41 PM

Please find the IP addresses at Help --> Firewall info on the dashboard.

In response to Seshu
jamesmattison
New here
‎Aug 8 2019 4:03 PM
‎Aug 8 2019 4:03 PM

Correct - that gives me the address that the Cloud needs access to. I need to know, from the point of view of the RADIUS server itself, what IP addresses (that are not from our network, ie external) need to be allowed access on this particular port? What I mean is, it is telling me to set the firewall to open port 1812 externally, allowing access to that IP address. I need to know where this external traffic  is going to originate from.

0 Kudos
AjitKumar
Head in the Cloud
‎Aug 8 2019 4:28 PM
‎Aug 8 2019 4:28 PM

Hi James,

 

I understand the "Dashboard" ex. "https://n69.meraki.com" in my case will talk to Radius Server.

 

Radius.PNG

 

Note : This is only in the case if you are planning to host a "Captive Portal" for on boarding users.

 

If you are looking forward to onboard "Corporate Users" via WPA2-Enterprise I believe we do not have to expose our Radius Server to Public. Most of the times I see Corporate Users are "on boarded" via WPA2-Enterprise unless you have a different need.

 

Radius Access Control.PNG

 

Also "Firewall Info" do shares the desired IPs to be allowed.

 

Firewall Rules.PNG

 

Regards,
Ajit
AjitsNW@gmail.com
www.ajit.network
In response to AjitKumar
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Aug 8 2019 5:53 PM
‎Aug 8 2019 5:53 PM

The firewall info page has the answer, as shown in @AjitKumar screenshot.

 

Note the IP subnets might be different for your Meraki organisation so don't copy the screenshot.

0 Kudos
In response to PhilipDAth
HodyCrouch
Building a reputation
‎Aug 9 2019 5:22 AM
‎Aug 9 2019 5:22 AM

I don't think anyone has mentioned the impact of the "RADIUS Proxy" setting on the Access Control Configuration page.

 

If you do not use RADIUS Proxy, I believe the RADIUS messages will originate from the management interface of each access point.

 

If you do use RADIUS Proxy, the messages will originate from Meraki cloud as indicated on the firewall info page.

 

In one of my networks where I use RADIUS proxy, the firewall info page shows a line for port 1812 where the source IP contains three networks (two /24 and one /20).  The destination IP shows the addresses of my two RADIUS servers.  When I did the initial setup, I added the three Meraki-provided CIDR ranges as allowed clients in my RADIUS configuration.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.