Meraki

Community

Wireless RADIUS concentrator

Solved
Billy
Getting noticed
‎Apr 17 2018 10:47 PM
‎Apr 17 2018 10:47 PM

Wireless RADIUS concentrator

I have a network consisting of a few sites connected through VPN (Hub/Spoke) with several access points and I want to provide certificate based authentication for a specific SSID through the NPS server.

 

Having to configure several IPs as a source on the NPS server is quite time consuming, enabling the Meraki's RADIUS proxy and exposing the server to the internet is definitely not the best option and using a Wireless Concentrator and driving all of the wireless traffic to a single point would result in a non-optimal bandwidth utilization.

 

Is there any way, or any plans to implement a way of using a single source for all those RADIUS requests? The ability of configuring one of the MX devices as a RADIUS proxy would be a nice feature

0 Kudos
1 Accepted Solution
In response to Billy
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 18 2018 5:32 PM
‎Apr 18 2018 5:32 PM

If you are using an NPS server as a remote proxy for the additional SSID, then all those requests will come from one IP address - that of the remote NPS proxy server.

View solution in original post

4 Replies 4
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 17 2018 11:27 PM
‎Apr 17 2018 11:27 PM

Did you know you can specify a prefix instead of an individual IP address in NPS?  For example, you can use 192.168.0.0/16 to represent a huge number of access points - with a single client entry.

0 Kudos
In response to PhilipDAth
Billy
Getting noticed
‎Apr 18 2018 5:29 PM
‎Apr 18 2018 5:29 PM

@PhilipDAth wrote:

Did you know you can specify a prefix instead of an individual IP address in NPS?  For example, you can use 192.168.0.0/16 to represent a huge number of access points - with a single client entry.

The certificate based authentication is tested and works, however I'd rather not go with a generic /16 definition as a source.

 

Furthermore, there is an additional SSID that authenticates in NPS servers that I don't manage and pass through firewalls that I also don't manage (merged companies). From a security compliance perspective, there's no way that a /16 definition would be accepted.

 

 

0 Kudos
In response to Billy
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 18 2018 5:32 PM
‎Apr 18 2018 5:32 PM

If you are using an NPS server as a remote proxy for the additional SSID, then all those requests will come from one IP address - that of the remote NPS proxy server.

PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 17 2018 11:29 PM
‎Apr 17 2018 11:29 PM

Also did you know if you use Systems Manager you can have it deploy a certificate automatically on each machine, for certificate based authentication, and you don't even need NPS?  Considering how cheap Systems Manager is - this is quite a good option.  WiFi authentication is no longer dependent on any of your infrastructure.

 

https://documentation.meraki.com/MR/Encryption_and_Authentication/Certificate-based_WiFi_authenticat...

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.