How-To: Enable Cloud RADIUS with Entra ID Authentication in Cisco Meraki

How to Set Up Entra ID Users to Authenticate with RADIUS

Don’t want to manage certificates? No problem! You can authenticate your existing Entra ID users using their username and password without needing to manage any PKI infrastructure.

Note that if you have conditional access policies set up in Entra ID (such as MFA), you will need to add an exception for EZRADIUS in order for username/password authentication to work. View this page for more details on adding this exception.

Configure Conditional Access Exception

How to Set Up Local Users to Authenticate with RADIUS

Have legacy devices or non-Entra ID users? You can also create local users directly in EZRADIUS and authenticate them using their username and password. Check out this page for more information on creating local users in EZRADIUS or letting your Entra ID users self-register local RADIUS accounts if needed.

Create Local RADIUS Users

How to Create an Entra ID Username and Password Access Policy

An Entra ID username and password access policy allows you to authenticate your Entra ID users using their existing credentials. View this guide to learn how to create an Entra ID username and password access policy in EZRADIUS if you have not already done so.

Create Entra ID Password Access Policy

How to Create a Local Username and Password Access Policy

A local username and password access policy allows you to authenticate users that you have created directly in EZRADIUS. View this guide to learn how to create a local username and password access policy in EZRADIUS if you have not already done so.

Create Local User Access Policy

How to Add a Cloud RadSec Server to a Cisco Meraki Wi-Fi Network

1. Go to your Meraki Network Controller.

2. Click on Wireless on the left menu and Select SSIDs.

   

3. If you already have an existing network, click on edit settings on the network you want to add RADIUS authentication to. If you don’t have a network, select enabled on the network you want to add RADIUS authentication to.

   

4. Next we are going to select Enterprise with in the Security menu and select my RADIUS server in the dropdown.

   

5. Scroll down to the RADIUS section. You can keep the default settings for all the other sections or change them to your liking.

   

6. Now click on the Add server link.

   

How to Get Your EZRADIUS Server IP Addresses for Cisco Meraki RadSec

You can get your EZRADIUS Server IP addresses from the EZRADIUS dashboard. These IP addresses are needed to configure your network controller to communicate with the EZRADIUS service.

1. Navigate to the EZRADIUS Policies page from the left-hand menu.

2. At the top of the Policies page, you will find the EZRADIUS Server IP addresses. Copy one of the IP addresses from the region closest to your network controller (you’ll add the others later).

   

How to Add EZRADIUS Server IP Addresses to Cisco Meraki for RadSec

1. Now we will go back to the Meraki Network Network Controller and paste:

   • In the Host IP or FQDN field, enter the copied Server IP address from EZRADIUS.
   • In the Port field, enter 2083.
   • In the Secret field, enter “radsec”.

2. Click on Done.

   

3. Repeat the above steps for one IP address from each region in your EZRADIUS instance for higher availability.

How to Enable RADIUS Accounting in Cisco Meraki for RadSec

RADIUS Accounting gives you detailed information about each session such as data used, connection time, etc. You can enable RADIUS Accounting in your Meraki Network Controller to send accounting logs to EZRADIUS. From there EZRADIUS can forward the logs to your SIEM and make them available in Audit Logs.

1. Fill out the RADIUS accounting servers section with:

   • In the Host IP or FQDN field, enter the copied Server IP address from EZRADIUS.
   • In the Port field, enter 2083.
   • In the Secret field, enter radsec.

   

How to Enable RADIUS Testing in Cisco Meraki for RadSec

1. Enable Radius testing. This will ensure Meraki tests the connection to the RADIUS servers and selects the best one available.

How to Configure RADIUS Timeout and Retries in Cisco Meraki for RadSec

1. Scroll down to the Advanced RADIUS section and fill out the following fields (these settings are recommended to ensure a stable connection with EZRADIUS):

   • Server timeout of 10 seconds.
   • Retry count of at least 3 times.
   • RADIUS fallback set to Active.
   • EAP Timeout of 30 seconds.
   • EAP max retries of 5 times.
   • EAP identity timeout of 30 seconds.
   • EAP identity retries of 5 times.
   • EAPOL key timeout of 2000 milliseconds.
   • EAPOL key retries of 4 times.

2. If you have setup your EZRADIUS with Filter-ID or VLANs, you can setup the filter ID or VLAN in their respective fields.

   

3. Scroll to the bottom and click on Save.

   

How to Create the RadSec Trust in Meraki

Now that we have configured the RADIUS server, the next step is to get the certificate from Meraki for our cloud RADIUS to trust your device and add the server certificate so Meraki trusts the cloud RADIUS.

1. Navigate to the Organization menu and click on Certificates.

   

How to Get the RadSec CA Certificate from EZRADIUS

The RadSec CA Certificate is used by your network controller to verify the identity of the EZRADIUS server when establishing a secure TLS connection. You can download the RadSec CA Certificate directly from the EZRADIUS dashboard.

1. Navigate to the EZRADIUS Policies page from the left-hand menu.

2. Click Download RadSec CA Certificate and save it to your local machine. It should be named radsec_ca.cer, or similar.

   

How to Upload the RadSec CA Certificate to Meraki

1. Go back to the Meraki tab and click on Upload CA Certificate.

   

How to Download the Meraki RadSec CA Certificate

Now that we have uploaded the CA Certificate, we need to download the CA Certificate from Meraki. This is automatically created and lasts 70 years. Don’t worry they are expecting we die before we have to renew it.

1. Click on Download CA and save the certificate to your computer.

   

How to Upload the Meraki RadSec CA Certificate to EZRADIUS

1. Go back to the EZRADIUS tab and scroll down to your policy with RadSec enable.

2. Under RadSec (RADIUS TLS) Client Configuration click on Upload Certificate and select the CA Certificate you downloaded from Meraki.

   

3. Scroll to the top of the policy and click on Save Changes.

   

4. Done! Now we have setup the RadSec trust between Meraki and EZRADIUS, you can now connect your devices to the network using certificate authentication.

How to Add a RADIUS Server to a Cisco Meraki Wired Network

1. Go to your Meraki Network Controller

2. Click on Security & SD-WAN on the menu and the select Addressing & VLANs

   

3. Scroll down to the Per-port VLAN Settings and select the port for which you want to enable authentication

   

4. In the Configure MX LAN ports change the type to Access and set the Access Policy to 802.1x.

How to Get Your EZRADIUS Server IP Addresses for Cisco Meraki RADIUS

You can get your EZRADIUS Server IP addresses from the EZRADIUS dashboard. These IP addresses are needed to configure your network controller to communicate with the EZRADIUS service.

1. Navigate to the EZRADIUS Policies page from the left-hand menu.

2. At the top of the Policies page, you will find the EZRADIUS Server IP addresses. Copy one of the IP addresses from the region closest to your network controller (you’ll add the others later).

   

How to Get Your EZRADIUS Shared Secret for Cisco Meraki RADIUS

When you added your public IP address to your EZRADIUS policy, a shared secret was automatically generated for you. This shared secret is used to authenticate your network controller (RADIUS client) to the EZRADIUS server.

1. In the EZRADIUS portal, navigate to the EZRADIUS Policies page from the left-hand menu.

2. Scroll down to your RADIUS policy and find the Classic RADIUS Allowed IP Addresses section.

3. For your public IP address, click on the eye icon to reveal the shared secret.

   

How to Configure a RADIUS Server in a Cisco Meraki Wired Network

1. Back in the Meraki Network Controller, enter the RADIUS Server IP in the host field.

2. In the port field, enter 1812.

3. In the secret field, enter the Shared Secret you got from EZRADIUS.

4. Repeat the above steps for one IP address from each region in your EZRADIUS instance for higher availability.

5. Click Update to save the RADIUS server settings.

   

6. Click on Save at the bottom of the page to apply the changes.

   

7. Done!

How to Configure Cloud RADIUS for Cisco Meraki VPN

1. Go to your Meraki VPN Controller.

2. Click on Security & SD-Wan on the left menu and Select Client VPN.

   

3. Make sure that the Client VPN Server is enabled.

4. Enter the Subnet you want to use for your VPN clients.

5. In the DNS nameservers field, enter the DNS servers you want to use for your VPN clients.

6. In the shared secret field, enter a shared secret that you will use for your VPN clients.

7. In the Authentication dropdown, select RADIUS.

   

8. Click on Add a RADIUS server.

   

How to Get Your EZRADIUS Server IP Addresses for Cisco Meraki VPN RADIUS

You can get your EZRADIUS Server IP addresses from the EZRADIUS dashboard. These IP addresses are needed to configure your network controller to communicate with the EZRADIUS service.

1. Navigate to the EZRADIUS Policies page from the left-hand menu.

2. At the top of the Policies page, you will find the EZRADIUS Server IP addresses. Copy one of the IP addresses from the region closest to your network controller (you’ll add the others later).

   

How to Add EZRADIUS Server IP Addresses to Cisco Meraki VPN

1. Navigate back to the Meraki VPN Network Controller
2. Paste the RADIUS Server IP" in the Host field.
3. In the Port field, enter 1812.

How to Get Your EZRADIUS Shared Secret for Cisco Meraki VPN RADIUS

When you added your public IP address to your EZRADIUS policy, a shared secret was automatically generated for you. This shared secret is used to authenticate your network controller (RADIUS client) to the EZRADIUS server.

1. In the EZRADIUS portal, navigate to the EZRADIUS Policies page from the left-hand menu.

2. Scroll down to your RADIUS policy and find the Classic RADIUS Allowed IP Addresses section.

3. For your public IP address, click on the eye icon to reveal the shared secret.

   

How to Add the EZRADIUS Shared Secret to Cisco Meraki VPN

1. Navigate back to the Meraki VPN Network Controller

2. In the Authentication field, paste the Shared Secret you copied from EZRADIUS.

   

3. Repeat the above steps for one IP address from each region in your EZRADIUS instance for higher availability.

How to Configure RADIUS Timeout in Cisco Meraki VPN

1. Set the RADIUS timeout to 30 seconds.

2. Set the Retry Count to 4 times.

3. Click on Save Changes at the bottom of the page.

   

4. Done!

How to Connect Devices to Meraki VPN with Entra ID Authentication

Now that we have setup your Meraki VPN with RADIUS authentication, now your users can follow this guide to create their network password and then use their username and created password to authenticate to the VPN.

Note: These steps show how to configure a VPN manually in Windows but we recommend using an MDM to distribute the VPN settings and make it easier for your users.

1. Go to your Windows device.

2. Click on the network icon on the bottom right.

3. Click on VPN.

4. Click on More VPN Settings on the bottom left.

5. Click on Add a VPN.

   

6. In the VPN Provider dropdown, select Windows (built-in).

7. In the Connection Name field, enter a name for your VPN connection.

8. In the Server Name or Address field, enter the hostname from your Meraki Dashboard or the public IP address of your Meraki VPN.

9. In the VPN Type dropdown, select L2TP/IPsec with pre-shared key.

10. In the Pre-shared key field, enter the shared secret you setup in your Meraki VPN.

11. In the Type of sign-in info dropdown, select Username and password.

12. Click on Save.

    

13. When you click on Connect, you will be prompted to enter your username and password. Make sure to use a local user account created using the self-service portal as explained above.

    

14. Click on Connect and you will be connected to your Meraki VPN.

How to Push the RADIUS CA Certificate and Wi-Fi Profile Using Jamf Pro

Follow these Jamf Pro step-by-step guides to push the required CA certificate and Wi-Fi profile to your users’ devices so they can seamlessly connect to your Cisco Meraki network using Cloud RADIUS.

Jamf Pro Guide

How to Manually Configure the RADIUS CA Certificate and Wi-Fi Profile on Your Devices

Follow these manual configuration step-by-step guides to manually configure the required CA certificate and Wi-Fi profile on your users’ devices so they can connect to your Cisco Meraki network using Cloud RADIUS.

Manual Configuration Guide