MR Meraki RADIUS 2.0
RADIUS Configuration
On the Access Control page, make sure "View new version" has been selected in the upper right corner. Once this has been done, click on the RADIUS option to show configuration options for RADIUS authentication and accounting servers.
You can add up to 3 servers for authentication and 3 for accounting. It is required to have an IP Address for the server, the port to be used, and the secret phrase to be configured on each one.
Accounting interim interval: If an accounting server is added and saved, the option Accounting interim interval will be available to control how often accounting messages are sent to the server.
For the use of Accounting interim interval, all APs must support firmware MR28 and be updated, this means all access points must be WiFi 5 Wave 2 or higher.
RADIUS testing: If enabled, Meraki devices will periodically send Access-Request messages to these RADIUS servers using identity 'meraki_8021x_test' to ensure that the RADIUS servers are reachable.
RADIUS CoA support: If enabled, Meraki devices will act as a RADIUS Dynamic Authorization Server and will respond to RADIUS Change-of-Authorization and Disconnect messages sent by the RADIUS servers.
RADIUS proxy: Meraki devices can send RADIUS Access-Request and Accounting messages via a Meraki proxy, which will forward these messages to the specified RADIUS servers.
RADIUS attribute specifying group policy name: Specify the RADIUS attribute used to look up group policies. Access points must receive this attribute in the RADIUS Access-Accept message. The value of the attribute must match the group policy name configured on this page. Four different attributes can be used to achieve this:
- Filter-ID
- Reply-Message
- Airespace-ACL-Name
- Aruba-User-Role
Advanced Settings
Some of these features will be available for all our customers by June 11th, if the feature is urgent before that please call support so it can be enabled. For the use of the new features, all APs must support firmware MR28 + and be updated, this means all access points must be WiFi 5 Wave 2 or higher.
Called Station ID
The ability to configure the called-station-ID attribute that it is sent from the Access Point to the RADIUS server provides flexibility to network administrators when creating rules.
Once upgraded to firmware MR28, all Access points will automatically update the default setting for both Called-Station-Id and NAS-ID as "AP MAC address:SSID Name" and "AP MAC address:SSID Number" respectively.
A maximum of 4 attributes can be configured including a custom phrase that can be set in the dashboard. Each setting will be appended with ":" as a separator in the called-station-ID attribute. The attributes that can be configured are:
- AP MAC address
- SSID number
- AP name
- SSID name
- RF profile
- AP VLAN ID
- AP tags
- Custom (input by the administrator)
For example, in the following packet capture, it was selected:
And the result in the packet capture is:
Called-station-id will be set to MAC:SSID_NAME automatically if using radius proxy feature, and the customization will not take place.
NAS ID
Similar to called-station-ID Meraki offers a variety of attributes that can be configured when using the NAS-ID option, including:
- AP MAC address
- SSID number
- AP name
- SSID name
- RF profile
- AP VLAN ID
- AP tags
- Custom (input by the administrator)
A maximum of 4 attributes can be configured and there will be a ":" between each attribute.
On a packet capture it will show as the following:
Server Timeout and Retry Count
Two settings can be used to configure how long the Meraki dashboard should wait before it classifies a RADIUS server as inactive/unreachable:
- Server timeout specifies how long to wait for a response from a RADIUS server in seconds (before being marked inactive/unreachable) from 1 to 10 secs.
- Retry count specifies how many retries should be made before moving to the next server, from 1 to 5 retries.
RADIUS Fallback
The fallback behavior depends on the order the servers are listed on the dashboard will dictate the priority of each one, For example:
- Server 1 = priority 1
- Server 2 = priority 2
- Server 3 = priority 3
Where the available server with higher priority will be used (priority 1 is the highest). If Server 1 were to become unreachable, Server 2 would become active, and so on.
If the fallback option is enabled, once the server with higher priority recovers, the AP will switch back to using that preferred (higher priority) server.
RADIUS VLAN Override
RADIUS VLAN Override offers the option to override the VLAN with the attributes coming from a RADIUS server with the option "RADIUS override." It is disabled by default.
For a VLAN override to be successful, the RADIUS server must send:
-
IETF 64 (Tunnel Type) — Set this to VLAN.
-
IETF 65 (Tunnel Medium Type) — Set this to 802
-
IETF 81 (Tunnel Private Group ID) — Set this to VLAN ID.
EAP Timers
The Meraki dashboard provides the ability to customize the EAP timers for communication over wireless between the access point and the client.
It is not recommended to change these values without oversight from an expert technician.