Wi-Fi employee access – Cisco Meraki

In this topic, you will learn how to configure Cisco Meraki access points to work together with Portnox™ Cloud and 802.1X RADIUS authentication for Wi-Fi connections.

Standard RADIUS configuration

In this topic, you will learn how to configure Cisco Meraki access points to work together with Portnox™ Cloud using standard RADIUS connections without TLS.

Important:
This guide provides general instructions for integrating Portnox Cloud with specific third-party devices. While we aim to provide helpful examples for commonly used models, configurations may vary across manufacturers, models, and environments. As a result, we cannot guarantee that these steps will work in every scenario. For questions or issues related to RADIUS setup – which is an industry standard and not specific to Portnox – or device-specific settings and troubleshooting, we recommend consulting the device manufacturer’s documentation and contacting their support team. While Portnox Support is happy to assist where possible, please note that detailed configuration of third-party devices is typically best handled by the manufacturer.
Important:
All values in this configuration are examples. Make sure to adjust the configuration to your individual profile names, RADIUS server addresses, ports, and keys by replacing the values that are presented as underlined italics.
  1. In the Meraki web interface, select your network, and then click on the Wireless > Access control menu option.

  2. In the Access control pane, select the SSID that you want to edit.

    Note:
    You can choose an existing SSID to reconfigure it or one of the unconfigured SSIDs.
  3. In the Basic info section, enter the SSID for your network if you are configuring an unconfigured SSID or keep/modify your current SSID as needed. Also, make sure that the SSID status is set to Enabled.

    In this example, we used the SSID VORLON, but you can use any SSID you like.

  4. Choose one of the following options depending on whether you want to configure this SSID for standard 802.1X or whether you want to use the IPSK feature of Portnox Cloud.

    • 802.1x: In the Security section, select the Enterprise with option, and from the drop-down menu, select the my RADIUS server option.

    • IPSK: In the Security section, select the Identity PSK with RADIUS option.

  5. Scroll down to the RADIUS section and click on the heading to expand this section.

  6. In the RADIUS servers subsection, click on the Add server link to add the Portnox Cloud RADIUS server.

  7. In the Host IP or FQDN field, enter the IP address of the Portnox Cloud RADIUS server that you created earlier, in the Auth port field, enter the authentication port for this RADIUS server, and in the Secret field, enter the shared secret for this server.

    1. Optional: Test the connectivity to the server. Enter the credentials of a Portnox account in the Username and Password fields, and then click on the Begin test button.

      Note:
      We strongly recommend creating a temporary Portnox account for this purpose because the password is sent via MSCHAPv2 without a secure tunnel. Alternatively, you can use any account with an incorrect password and monitor Alerts for authentication failures. If an authentication failure appears in Alerts, it confirms that the RADIUS server is configured correctly.
    2. Close the test pop-up by clicking on the Cancel link.
    3. Click on the Done button to add the Cloud RADIUS server.

  8. If you use two Cloud RADIUS servers in both regions, repeat the above steps for the second RADIUS server.
  9. Repeat the above steps in the RADIUS accounting servers section, entering the same IP address and shared secret, and the Acct port number from your Cloud RADIUS server configuration (for one or two servers, depending on your configuration).

    The above screenshot shows an example configuration for two Cloud RADIUS region servers. Adjust the IP addresses and port numbers to your tenant configuration.

  10. Optional: Configure the timeouts to the values recommended by Portnox for communication with Cloud RADIUS servers.
    1. Click on the Advanced RADIUS settings heading under the list of RADIUS servers to expand this subsection.

    2. Enter the following recommended values for RADIUS timeouts:

      • Server timeout: 10
      • Retry count: 2
      • RADIUS fallback: Active
    3. Click on the EAP timers heading to expand this subsection.

    4. Enter the following recommended values for EAP timers:
      • EAP timeout: 15 (10-15 seconds for normal use, 15-20 seconds if LDAP Broker is heavily used in the environment)
      • EAP max retries: 5
      • EAP identity timeout: 5
      • EAP identity retries: 5
      • EAPOL key timeout: 500 (if there are communications issues, you can increase this to 1000).
      • EAPOL key retries: 4
  11. Optional: If you want to use RADIUS Change of Authorization (CoA) functionality, add your local RADIUS (or LDAP Broker, if you use it for CoA instead of the local RADIUS) installation IP address as the last RADIUS server and activate the RADIUS CoA support checkbox under the list of RADIUS servers.
  12. Configure the Splash page and Client IP and VLAN sections as needed for your environment.
  13. Click on the Save button to save your configuration.

RadSec with server-only authentication

In this topic, you will learn how to configure Cisco Meraki access points to work together with Portnox™ Cloud using RadSec connections with server-only authentication.

Important:
Meraki supports mutual TLS (mTLS). We strongly recommend using mTLS instead of the configuration shown here, as it provides significantly better security. The configuration below is provided only for reference or for situations where mTLS cannot be used.
  1. Upload the Portnox Cloud root CA certificate (DigiCert Trusted Root G4 certificate) using the Meraki web interface:
    1. Download the DigiCert Trusted Root G4 certificate in PEM format from the DigiCert website. Save the file to your local drive.
      Note:
      For explanation of the function of this certificate, see the following section: The root CA certificate.
    2. In the Meraki web interface, go to Organization > Certificates. Then, in the RADSEC tab, click on the Upload CA certificate button, and select the file you downloaded from DigiCert.

      Result: The CA certificate will be uploaded and trusted by all networks in your Meraki environment.

  2. Configure your Portnox Cloud RADIUS server for RadSec with server-only authentication:
    1. In Portnox Cloud, go to Settings > Services > CLOUD RADIUS SERVICE > Cloud RADIUS instance.
    2. Select the instance that you want to configure for RadSec (either Europe and Asia or United States and North America), click on  ⋮  > Edit, and activate the Enable RADIUS over TLS (RadSec) checkbox. Then, click on the Save button.

  3. In the Meraki web interface, select your network, and then click on the Wireless > Access control menu option.

  4. In the Access control pane, select the SSID that you want to edit.

    Note:
    You can choose an existing SSID to reconfigure it or one of the unconfigured SSIDs.
  5. In the Basic info section, enter the SSID for your network if you are configuring an unconfigured SSID or keep/modify your current SSID as needed. Also, make sure that the SSID status is set to Enabled.

    In this example, we used the SSID VORLON, but you can use any SSID you like.

  6. Choose one of the following options depending on whether you want to configure this SSID for standard 802.1X or whether you want to use the IPSK feature of Portnox Cloud.

    • 802.1x: In the Security section, select the Enterprise with option, and from the drop-down menu, select the my RADIUS server option.

    • IPSK: In the Security section, select the Identity PSK with RADIUS option.

  7. Scroll down to the RADIUS section and click on the heading to expand this section.

  8. In the RADIUS servers subsection, click on the Add server link to add the Portnox Cloud RADIUS server.

  9. In the Host IP or FQDN field, enter the IP address of the Portnox Cloud RADIUS server instance, in the Auth port field, enter the authentication port for this RADIUS server, and in the Secret field, enter the string radsec. Then, activate the RadSec checkbox.

    Important:
    Do not enter the shared secret copied from the Portnox Cloud RADIUS configuration. Otherwise, the connection will not work.
    1. Optional: Test the connectivity to the server. Enter the credentials of a Portnox account in the Username and Password fields, and then click on the Begin test button.

      Note:
      We strongly recommend creating a temporary Portnox account for this purpose because the password is sent via MSCHAPv2 without a secure tunnel. Alternatively, you can use any account with an incorrect password and monitor Alerts for authentication failures. If an authentication failure appears in Alerts, it confirms that the RADIUS server is configured correctly.
    2. Close the test pop-up by clicking on the Cancel link.
    3. Click on the Done button to add the Cloud RADIUS server.

  10. If you use two Cloud RADIUS servers in both regions, repeat the above steps for the second RADIUS server.
  11. Repeat the above steps in the RADIUS accounting servers section, entering the same IP address, the radsec shared secret, and the Acct port number from your Cloud RADIUS server configuration (for one or two servers, depending on your configuration).

    The above screenshot shows an example configuration for two Cloud RADIUS region servers. Adjust the IP addresses and port numbers to your tenant configuration.

  12. Optional: Configure the timeouts to the values recommended by Portnox for communication with Cloud RADIUS servers.
    1. Click on the Advanced RADIUS settings heading under the list of RADIUS servers to expand this subsection.

    2. Enter the following recommended values for RADIUS timeouts:

      • Server timeout: 10
      • Retry count: 2
      • RADIUS fallback: Active
    3. Click on the EAP timers heading to expand this subsection.

    4. Enter the following recommended values for EAP timers:
      • EAP timeout: 15 (10-15 seconds for normal use, 15-20 seconds if LDAP Broker is heavily used in the environment)
      • EAP max retries: 5
      • EAP identity timeout: 5
      • EAP identity retries: 5
      • EAPOL key timeout: 500 (if there are communications issues, you can increase this to 1000).
      • EAPOL key retries: 4
  13. Optional: If you want to use RADIUS Change of Authorization (CoA) functionality, add your local RADIUS (or LDAP Broker, if you use it for CoA instead of the local RADIUS) installation IP address as the last RADIUS server and activate the RADIUS CoA support checkbox under the list of RADIUS servers.
  14. Configure the Splash page and Client IP and VLAN sections as needed for your environment.
  15. Click on the Save button to save your configuration.

RadSec with mutual TLS (mTLS)

In this topic, you will learn how to configure Cisco Meraki access points to work together with Portnox™ Cloud using RadSec connections with mutual TLS authentication (mTLS).

Warning:
If you configure Portnox Cloud for mTLS authentication, all your NAS devices that use RadSec must be configured for mTLS (must support mTLS). You cannot configure some devices with mTLS and other devices with server-only authentication. If some of your devices do not support mTLS, use RadSec with server-only authentication for all your devices instead.
  1. Upload the Portnox Cloud root CA certificate (DigiCert Trusted Root G4 certificate) using the Meraki web interface:
    1. Download the DigiCert Trusted Root G4 certificate in PEM format from the DigiCert website. Save the file to your local drive.
      Note:
      For explanation of the function of this certificate, see the following section: The root CA certificate.
    2. In the Meraki web interface, go to Organization > Certificates. Then, in the RADSEC tab, click on the Upload CA certificate button, and select the file you downloaded from DigiCert.

      Result: The CA certificate will be uploaded and trusted by all networks in your Meraki environment.

  2. Download the client certificate from Meraki and upload it to Portnox Cloud:
    1. In the Meraki web interface, go to Organization > Certificates. Then, in the RADSEC tab, scroll down to the RadSec AP Certificates section and click on the Download CA button to save the client certificate to local drive.

    2. In Portnox Cloud, go to Settings > Services > GENERAL SETTINGS > Trusted Root Certificates. Then, click on the Upload trusted root certificate generated by ... link and click the Certificate button to select the file you just downloaded from Meraki. Then, click on the Save button.

  3. Configure your Portnox Cloud RADIUS server for RadSec with mTLS authentication:
    1. In Portnox Cloud, go to Settings > Services > CLOUD RADIUS SERVICE > Cloud RADIUS instance.
    2. Select the instance that you want to configure for RadSec (either Europe and Asia or United States and North America), click on  ⋮  > Edit, and activate the Enable RADIUS over TLS (RadSec) checkbox and the V Validate NAS Client Certificate (RadSec) checkbox. Then, click on the Save button.

  4. In the Meraki web interface, select your network, and then click on the Wireless > Access control menu option.

  5. In the Access control pane, select the SSID that you want to edit.

    Note:
    You can choose an existing SSID to reconfigure it or one of the unconfigured SSIDs.
  6. In the Basic info section, enter the SSID for your network if you are configuring an unconfigured SSID or keep/modify your current SSID as needed. Also, make sure that the SSID status is set to Enabled.

    In this example, we used the SSID VORLON, but you can use any SSID you like.

  7. Choose one of the following options depending on whether you want to configure this SSID for standard 802.1X or whether you want to use the IPSK feature of Portnox Cloud.

    • 802.1x: In the Security section, select the Enterprise with option, and from the drop-down menu, select the my RADIUS server option.

    • IPSK: In the Security section, select the Identity PSK with RADIUS option.

  8. Scroll down to the RADIUS section and click on the heading to expand this section.

  9. In the RADIUS servers subsection, click on the Add server link to add the Portnox Cloud RADIUS server.

  10. In the Host IP or FQDN field, enter the IP address of the Portnox Cloud RADIUS server instance, in the Auth port field, enter the authentication port for this RADIUS server, and in the Secret field, enter the string radsec. Then, activate the RadSec checkbox.

    Important:
    Do not enter the shared secret copied from the Portnox Cloud RADIUS configuration. Otherwise, the connection will not work.
    1. Optional: Test the connectivity to the server. Enter the credentials of a Portnox account in the Username and Password fields, and then click on the Begin test button.

      Note:
      We strongly recommend creating a temporary Portnox account for this purpose because the password is sent via MSCHAPv2 without a secure tunnel. Alternatively, you can use any account with an incorrect password and monitor Alerts for authentication failures. If an authentication failure appears in Alerts, it confirms that the RADIUS server is configured correctly.
    2. Close the test pop-up by clicking on the Cancel link.
    3. Click on the Done button to add the Cloud RADIUS server.

  11. If you use two Cloud RADIUS servers in both regions, repeat the above steps for the second RADIUS server.
  12. Repeat the above steps in the RADIUS accounting servers section, entering the same IP address, the radsec shared secret, and the Acct port number from your Cloud RADIUS server configuration (for one or two servers, depending on your configuration).

    The above screenshot shows an example configuration for two Cloud RADIUS region servers. Adjust the IP addresses and port numbers to your tenant configuration.

  13. Optional: Configure the timeouts to the values recommended by Portnox for communication with Cloud RADIUS servers.
    1. Click on the Advanced RADIUS settings heading under the list of RADIUS servers to expand this subsection.

    2. Enter the following recommended values for RADIUS timeouts:

      • Server timeout: 10
      • Retry count: 2
      • RADIUS fallback: Active
    3. Click on the EAP timers heading to expand this subsection.

    4. Enter the following recommended values for EAP timers:
      • EAP timeout: 15 (10-15 seconds for normal use, 15-20 seconds if LDAP Broker is heavily used in the environment)
      • EAP max retries: 5
      • EAP identity timeout: 5
      • EAP identity retries: 5
      • EAPOL key timeout: 500 (if there are communications issues, you can increase this to 1000).
      • EAPOL key retries: 4
  14. Optional: If you want to use RADIUS Change of Authorization (CoA) functionality, add your local RADIUS (or LDAP Broker, if you use it for CoA instead of the local RADIUS) installation IP address as the last RADIUS server and activate the RADIUS CoA support checkbox under the list of RADIUS servers.
  15. Configure the Splash page and Client IP and VLAN sections as needed for your environment.
  16. Click on the Save button to save your configuration.