Skip to main content
Cisco Meraki Documentation

MX and Z-series Source IP for RADIUS Authentication

Wireless-capable MX or Z-series devices have the option to authenticate wireless users with a RADIUS server. If this RADIUS server exists on the other side of a VPN tunnel, it will be important to note which IP address the MX/Z-series device will use when sending its Access-request messages. This article explains how to determine the source IP address used by a wireless-capable MX or Z-series device for RADIUS authentication.
 

The MX and Z-series devices use the Appliance LAN IP of the highest-numbered VLAN that is included in the VPN as the source address to reach the RADIUS server located on the other side of the VPN tunnel. In the example below, we have a remote MX configured with 2 VLANs 10 and 20, and an SSID named “PARIS” configured for “My RADIUS server” authentication. Please notice that the SSID's VLAN Assignment is set to default(10):

RADIUS IP.png

 

The following figure illustrates the SSID which has been configured to use VLAN 10 and Authentication type "My RADIUS server".

In Dashboard, under Security & SD-WAN/Teleworker Gateway > Configure > Wireless  > SSID 1:

2d929ec0-3ee8-448c-93c0-887cd4f1ce06
 

NPS server logs can be referenced to observe which IP the RADIUS request is sourced from. The following figure illustrates how the remote MX, in this case, is using 192.168.51.1 (VLAN 20 - Appliance LAN IP) as the source IP to reach the RADIUS server:

a4ff27c0-0f5b-4f29-981c-b8fe52406f5b

 

If the RADIUS server is across a VPN tunnel and the MX is in VPN Concentrator or Single LAN Routed/NAT mode, the MX will use a 6.X.X.X Address as the source address for the Access-Requests to the RADIUS Server.