Wi-Fi employee access – Cisco Meraki

In this topic, you will learn how to configure Cisco Meraki access points to work together with Portnox™ Cloud and 802.1X RADIUS authentication for Wi-Fi connections.

Warning: We tested this configuration on a Meraki MR33 access point in our Meraki lab, but we cannot guarantee that it will cover every Meraki product and version. Also, the configuration is generic and may not fit every single environment. Therefore, to get the most accurate and current configuration guidance on 802.1X configuration, we strongly recommend that you refer to the documentation provided by Meraki on these topics for your particular device models.
  1. In the Meraki web interface, select your network, and then click on the Wireless > Access control menu option.

  2. In the Access control pane, select the SSID that you want to edit.

    Note: You can choose an existing SSID to reconfigure it or one of the unconfigured SSIDs.
  3. In the Basic info section, enter the SSID for your network if you are configuring an unconfigured SSID or keep/modify your current SSID as needed. Also, make sure that the SSID status is set to Enabled.

    In this example, we used the SSID VORLON, but you can use any SSID you like.

  4. Choose one of the following options depending on whether you want to configure this SSID for standard 802.1X or whether you want to use the IPSK feature of Portnox Cloud.

    • 802.1x: In the Security section, select the Enterprise with option, and from the drop-down menu, select the my RADIUS server option.

    • IPSK: In the Security section, select the Identity PSK with RADIUS option.

  5. Scroll down to the RADIUS section and click on the heading to expand this section.

  6. In the RADIUS servers subsection, click on the Add server link to add the Portnox Cloud RADIUS server.

  7. In the Host IP or FQDN field, enter the IP address of the Portnox Cloud RADIUS server that you created earlier, in the Auth port field, enter the authentication port for this RADIUS server, and in the Secret field, enter the shared secret for this server.
    Important: If you want to use RadSec in your configuration, enter the string radsec as your Secret, not the shared secret copied from the Portnox Cloud RADIUS configuration. Otherwise, the connection will not work.

    1. Optional: Test the connectivity to the server. Enter the credentials of an account that is registered in your Cloud in the Username and Password fields, and then click on the Begin test button.

    2. Close the test pop-up by clicking on the Cancel link.
    3. Click on the Done button to add the Cloud RADIUS server.

  8. If you use two Cloud RADIUS servers in both regions, repeat the above steps for the second RADIUS server.
  9. Repeat the above steps in the RADIUS accounting servers section, entering the same IP address and shared secret, and the Acct port number from your Cloud RADIUS server configuration (for one or two servers, depending on your configuration).

    The above screenshot shows an example configuration for two Cloud RADIUS region servers. Adjust the IP addresses and port numbers to your tenant configuration.

  10. Optional: Configure the EAP timeouts to the values recommended by Portnox for communication with Cloud RADIUS servers.
    1. Click on the Advanced RADIUS settings heading under the list of RADIUS servers to expand this subsection.

    2. Click on the EAP timers heading to expand this subsection.

    3. Enter the following recommended values for EAP timers:
      • EAP timeout: 15 (10-15 seconds for normal use, 15-20 seconds if AD Broker is heavily used in the environment)
      • EAP max retries: 5
      • EAP identity timeout: 5
      • EAP identity retries: 5
      • EAPOL key timeout: 500 (if there are communications issues, you can increase this to 1000).
      • EAPOL key retries: 4
  11. Optional: If you want to use RADIUS Change of Authorization (CoA) functionality, add your local RADIUS (or AD Broker, if you use it for CoA instead of the local RADIUS) installation IP address as the last RADIUS server and activate the RADIUS CoA support checkbox under the list of RADIUS servers.
  12. Configure the Splash page and Client IP and VLAN sections as needed for your environment.
  13. Click on the Save button to save your configuration.

Result: Your Wi-Fi devices can now access the protected Wi-Fi network, using the Portnox Cloud RADIUS servers for authentication.