If you enable RADIUS testing on the SSID, the APs will regularly be sending an Access-Request with "meraki_802.1x_test" identity. A test is considered succesful if the AP gets any response (Challenge, Accept/Reject). If no response is provided for the Access-Request, a failure is considered, and the Dashboard will raise an Alert. This is all described per documentation; https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Alert_-_Recent_802.1X_Failure   But, as I understand, rather than relying on Meraki RADIUS testing form AP to RADIUS server, you'd rather like to send a CoA to the AP instead, inorder to test connectivity? I'm not familiar with the RFC, so I'll take your word that if a CoA is sent, the AP ought to respond with a NAK whether or not the CoA is valid or not, and use this to monitor connectivity to the APs?   What type of encryption is your SSID using? Also, according to the CoA documentation (https://documentation.meraki.com/MR/Encryption_and_Authentication/Change_of_Authorization_with_RADIUS_(CoA)_on_MR_Access_Points) it's recommended to enable Cisco ISE, regardless if you're using ISE or not, for CoA. ... View more

Take a look at this video.   https://youtu.be/zRRwzeq1DWo?si=nZ_UHian22635XJV ... View more

@Alexs20  all attributes available are here.   https://documentation.meraki.com/MS/Access_Control/MS_Switch_Access_Policies_(802.1X   If you are not able to find this information here it's probably not supported. ... View more

It would be best to have a VPN from the AP management VLAN to the RADIUS server. ... View more

As @ww correctly mentioned, not natively. But if you have the strict business requirement to do this, you could achieve this with the Cisco ISE. But if you have a RADIUS server like the ISE, implementing 802.1X is always the better option. ... View more

Bummer!  Then your only choice is group policies. ... View more

oh, NM, I found the problem. I had to add my PC IP into the list of radius servers ... View more

Yeah, I saw that. This is hotspot 2 not the same as the regular hotspot, not all devices support hotspot 2 connections. For example for Android devices - only starting Android 11 with special HW, the same with Apple, only devices from last 5-6 years. And this is a problem, because we are trying to cover 99.9% of devices. Unfortunately the closes implementation of the regular hotspot is what Meraki calling - Sign-on with Radius, which has very limited functionality. But anyway, thanks for trying to help and direct me, but looks like not all problems possible to resolve in a easy way 🙂 ... View more

This is the documentation for using COA with MR. https://documentation.meraki.com/MR/Encryption_and_Authentication/Change_of_Authorization_with_RADIUS_(CoA)_on_MR_Access_Points  ... View more

Sorry, I cannot provide more details about why it is so important for us to send custom value in that or any other filed that appears in Accounting as well, as it will disclose our private architecture info.  But just trust my word - it is important for us, And probably this is why other vendors have implemented such customization as they also agree that this is important. ... View more

Yep.     RADIUS Accounting with a Sign-On Splash Page RADIUS accounting can be used with RADIUS authenticated splash pages to provide information regarding when a client was authorized through the splash page and later had that authorization cleared/expired. These messages are sent from the dashboard to the customer's configured RADIUS server. Note: RADIUS accounting is only available by default with 802.1X authentication. To enable RADIUS accounting for splash pages as well, please contact Cisco Meraki support. RADIUS accounting is not currently available on splash pages for security appliances or teleworker gateways. ... View more

oh, np, all good, I probably need to get the real device and play with the config to see what I can and cannot do. but anyways, thanks 🙂 ... View more