Meraki
Customers have reported delays between activating the RadSec feature on the Meraki Dashboard and becoming functional.
Prepare certificates
The Meraki platform does not allow you to generate RadSec client certificates from a CA of your choice. Instead, you must use Meraki's built-in Organization CA that is unique to your Meraki Organization.
Download the root certificate of the CA that has issued your active RADIUS Server Certificate as described here. You will need to upload it to your Meraki console later on.
Meraki configuration
Ensure to disable the OCSP revocation check of the RadSec client certificate as described in step 13 of this guide.
Configure the RADIUS server in your SSID
Select the SSID you wish to configure RADIUS authentication for (or navigate to Wireless > Configure > SSIDs to create a new SSID first).
In the Security section of your SSID, select Enterprise with and in the dropdown my RADIUS server:

Under RADIUS, click Add server. Configure the Host IP or FQDN to match the IP address or the DNS name of your RadSec service endpoint, set the Port to 2083 and set the Secret value to "radsec" and activate the RadSec checkbox.

Configure EAP Timeouts
Configure EAP parameters and timeouts according to this reference guide by going to Wireless > Radius > Advanced RADIUS settings. Once configured, it should look similar to the screenshot below. Click Save to apply the settings.

Add RadSec Server Certificate
To upload and generate the required certificates that make the RadSec connection functional, navigate to Organization > Certificates.

In the top table, click Upload certificate and provide the root certificate of the CA that has signed your RADIUS Server Certificate, which you should have already downloaded in this step. Your Meraki APs now trust your RADIUS server.

Create Organization CA
Under RadSec AP Certificates, first create an Organization CA by clicking Generate CA. This CA is unique to your Meraki Organization. The Meraki platform will now automatically generate RadSec client certificates for all your APs signed by this CA. The lifetime of the certificate is very long (> 50 years), i.e. you do not have to worry about renewing them.
Download the root CA certificate of your Organization CA of your Meraki system by clicking Download CA.

You will not be able to upload RadSec client certificates of another CA with Meraki. Instead the Organization CA, which is unique to your organization, will provide all your access points with suitable certificates.
Trust Organization CA in RADIUSaaS
Now, upload the downloaded CA certificate to your Trusted Certificates in your RADIUSaaS web console and select RadSec under Use for.

Disable Revocation Check for RadSec Certificates
Finally, disable the revocation check for the RadSec client certificates on your RADIUSaaS instance (this does not adversely affect security as the Meraki Organization CA does not allow to revoke RadSec client certificates). Therefore, navigating to your RADIUSaaS instance and then Settings > Server Settings and disable the checkbox Verification check for RadSec certificates.

Test Configuration
To test that the configuration works, you can add a user in your Portal and use the Meraki test function.

References
Link to Meraki's documentation for the RadSec configuration: https://documentation.meraki.com/MR/Encryption_and_Authentication/MR_RADSec
Last updated
Was this helpful?