Wireless-capable MX or Z1 devices have the option to authenticate wireless users with a RADIUS server. If this RADIUS server exists on the other side of a VPN tunnel, it will be important to note which IP address the MX/Z1 will use when sending its Access-request messages. This article explains how to determine the source IP address used by a wireless-capable MX or Z1 for RADIUS authentication.
The MX and Z1 use the Appliance LAN IP of the highest-numbered VLAN that is included in the VPN as the source address to reach the RADIUS server located on the other side of the VPN tunnel. In the example below, we have an MX60W configured with 2 VLANs 10 and 20, and an SSID named “PARIS” configured for “My RADIUS SERVER” authentication. Please notice that the SSID's VLAN Assignment is set to default(10):
The following figure illustrates the SSID which has been configured to use VLAN 10 and Authentication type "My RADIUS server".
In Dashboard, under Security Appliance/Teleworker Gateway > Configure > Wireless > SSID 1:
NPS server logs can be referenced to observe which IP the RADIUS request is sourced from. The following figure illustrates how the MX60W in this case is using 192.168.51.1 (VLAN 20 - Appliance LAN IP) as the source IP to reach the RADIUS server: