RADSec is an encrypted communication to the RADIUS server. RADSec offers security and reliability by using TLS encryption, based on mutual certificate authentication (similar to EAP-TLS), over TCP to communicate with the RADIUS server. There is no change to the end-client authentication process when compared to the normal RADIUS process.
Note: RADSec support was introduced in MR firmware 30.X. To proceed with configuration ensure you've upgraded to MR 30.X.
The TLS tunnel is established by mutual authentication using certificates; steps shown below:
- Access Point establishes a TCP connection to the RADIUS server with a 3-way handshake (SYN, SYN-ACK, ACK).
- Access Point sends “Client Hello”
- The server sends “Server Hello”
- AP validates the certificate and, if valid:
- AP sends its certificate
- The Server validates the certificate, and if valid:
- TLS tunnel is established
Example of packets to be seen in this communication:
On top of the standard PKI/certificates required for standard RADIUS authentication for clients, for mTLS to work, the AP and the Server need to trust each other’s certificate. This trust is established when the administrator loads the certificate of the RADIUS server Root CA to Meraki Dashboard and loads the Meraki Organizations Root CA to the RADIUS server.
Administrators will need to add a root CA server certificate to APs, to allow them to validate the server certificate presented by the RADIUS server. The Dashboard can be used to distribute certificates to all APs in the organization or network. This is done from the Organization level settings page in the Dashboard. This is also configurable via the API calls in this document.
The Meraki cloud stores a private root CA for each organization, which users can add to their RADSec servers to trust. The Dashboard manages the provisioning of individual private certs to each AP with the organization. However, it can also be done at a network level and allow the APs within the network to share the certificate. This is configurable both via Dashboard UI and API calls in this document.
Configuring this feature will require you to upload your company Root CA .pem file to the Meraki Dashboard.
This feature can be enabled in Meraki in the dashboard or by leveraging APIs.
Import company Root CA
In the dashboard, navigate to Organization > Certificates > Upload certificates
2. Select the desired Root CA certificate from the directory
3. Uploaded certificates will be listed in the certificate overview page
Create the Organization CA
Generate CA server certificate (one CA per Meraki organization)
Trust the root Certificate Authority