To use the RadSec feature on your Meraki APs, firmware version MR 30.X or later is required.

Customers have reported delays of approx. 1 hr between activating the RadSec feature on the Meraki Dashboard and for it to become functional.

Prepare Certificates

The Meraki platform does not allow you to generate RadSec client certificates from a CA of your choice. Instead, you must use Meraki's built-in Organization CA that is unique to your Meraki Organization.

Download the root certificate of the CA that has issued your RADIUS server certificate as described here. You will need to upload it to your Meraki console later on.

Meraki Configuration

Below settings are the necessary settings to establish a functional RadSec connection with our service. Configure any other settings at your discretion.

  1. Navigate to your Meraki Dashboard

  2. Select Wireless > Access control

  3. Ensure you have switched to the new UI version of the Access control site

  4. Select the SSID you wish to configure RADIUS authentication for (or navigate to Wireless > Configure > SSIDs to create a new SSID first).

  5. In the Security section, select Enterprise with and in the dropdown my RADIUS server

  6. Under RADIUS, click Add server. Configure the IP address to match the RadSec IP address of your RADIUSaaS instance, set the Port to 2083 and set the Secret value to "radsec" and activate the RadSec checkbox.

  7. Click Save

  8. Configure EAP parameters and timeouts according to this reference guide by going to Wireless > Radius > Advanced RADIUS settings. Once configured, it should look similar to the screenshot below.

  9. To upload and generate the required certificates, navigate to Organization > Certificates. In the top table, click Upload certificate and provide the root certificate of the CA that has signed your RADIUS server certificate, which you should have already downloaded in this step. Your Meraki APs now trust your RADIUS server.

  10. Under RadSec AP Certificates, first create an Organization CA by clicking Generate CA. This CA is unique to your Meraki Organization.

  11. Subsequently, trust that Organization CA. The Meraki platform will now automatically generate RadSec client certificates for all your APs signed by this CA. The lifetime of the certificate is very long (> 50 years), i.e. you do not have to worry about renewing them.

  12. Eventually, establish trust between the APs and your RADIUSaaS platform. Therefore, download the root CA certificate of your Organization CA by clicking Download CA. Now, upload the downloaded CA certificate to your Trusted Certificates and select RadSec for trusted certificate type.

Link to Meraki's documentation for the RadSec configuration:

Last updated