How-To: Setup Meraki Network Entra ID Authentication Using RADIUS

Meraki Network is a cloud-managed enterprise network solution that allows you to connect your devices to your network securely. This guide will show you how to enable RADIUS authentication in Meraki Network with Entra ID.

Prerequisites for Setting Up Entra ID Authentication With RADIUS in Meraki Network

  1. Register the application in your tenant
  2. Create a Cloud Radius Instance
  3. Make Sure You Are A Subscription Owner, Network Administrator or Log Reader
  4. Register your Meraki Device’s Public IP Address in your RADIUS Access Policies

Introduction - How Entra ID Authentication Works in Meraki Networks and EZRADIUS

For your Meraki Network network to authenticate users with Entra ID, you need to enable RADIUS authentication and connect it to a RADIUS service that supports Entra ID. This guide will show you how to enable RADIUS authentication in WPA-Enterprise with Meraki and EZRADIUS. (Note: This can be achieve with Entra ID username and password but we recommend using EAP-TLS with Entra ID for a more secure and easier authentication method, while EAP-TLS might sound intimidating, here is a 20 minute video on setting up everything from the RADIUS server to the Certificate Authority).

How RADIUS Authentication Works with Meraki Network and EZRADIUS and Entra ID

How to Enable RADIUS Authentication In Your Meraki Network - Video Version

Check out our video guides for the easiest way to get up and running with RADIUS authentication in your Meraki Network.

How to Use EAP-TLS Certificate Authentication In Your Meraki Network

EAP-TLS is the recommended authentication method as it is more secure and easier once set up. This video will guide you through setting up EAP-TLS with Entra ID in your Meraki Network.

How to Use Entra ID Username and Password Authentication In Your Meraki Network

Entra ID Username and Password authentication with EAP-TTLS allows you to authenticate users using their Entra ID credentials without needing to manage PKI infrastructure. This video will guide you through setting up EAP-TTLS with Entra ID in your Meraki Network.

How to Enable RADIUS Authentication In Your Meraki Network - Step by Step

  1. Go to your Meraki Network Controller.

  2. Click on Wireless on the left menu and Select SSIDs.

    How To Enable Cloud RADIUS Meraki Network Settings

  3. If you already have an existing network, click on edit settings on the network you want to add RADIUS authentication to. (If you don’t have a network yet, drop down the “disabled” field next to the Unconfigured SSID and select enabled, and then edit its settings.)

    How To Enable Cloud RADIUS Meraki Network Settings

  4. Select Enterprise with"** in the Security menu and select my RADIUS server in the dropdown.

    How to Setup Cloud RADIUS Profile in Meraki Network

  5. Scroll down to the RADIUS section. You can keep the default settings for all the other sections or change them to your liking.

    How to Setup Cloud RADIUS Profile in Meraki Network

  6. Now click on the Add Server link.

    How to Setup Cloud RADIUS Profile in Meraki Network

  7. In another Tab, go to your EZRADIUS dashboard and copy the RADIUS Server IP from the Policies page (You can choose any of the IP addresses they are interconnected between availability zones).

    How to Setup Cloud RADIUS Profile in Meraki Network

  8. From your Policy Details, copy the Shared Secret you setup for this client IP Address.

    How to Setup Cloud RADIUS Profile in Meraki Network

  9. Back in the Meraki Network Network Controller paste the IP address in the Host IP or FQDN field.

  10. In the Port field, enter “1812”.

  11. In the Secret field, paste the Shared Secret you copied from EZRADIUS.

  12. Click on Done.

    How to Setup Cloud RADIUS Profile in Meraki Network

  13. If you want to add multiple IPs for higher availability, click on Add a RADIUS server and repeat the steps for the other two IPs.

  14. If you want to enable Accounting (giving you more information about each session such as data used, connection time, etc.), you can do so by adding the same IP addresses and Shared Secrets for Accounting, but the port is 1813 instead of 1812.

  15. Scroll down to the Advanced RADIUS section.

  16. If you have setup your EZRADIUS with Filter-ID or VLANs, you can setup the filter ID or VLAN in their respective fields.

  17. Enter the following settings (these settings are recommended to ensure a stable connection with EZRADIUS):

    • Server timeout to 10 seconds
    • Retry count to 3 times
    • RADIUS fallback to “Active”
    • EAP Timeout to 30 seconds.
    • EAP max retries to 5 times.
    • EAP identity timeout to 30 seconds.
    • EAP identity retries to 5 times.
    • EAPOL key timeout to 2000 milliseconds.
    • EAPOL key retries to 4 times.

    How to Setup Cloud RADIUS Profile in Meraki Network

  18. Scroll to the bottom and click on Save.

    How to Add RADIUS Server for Entra ID in Meraki Network

How to Test Wifi Certificate Authentication in Meraki Network

Now that we have setup the RADIUS authentication in your Meraki Network, we recommend manually testing the authentication to make sure everything is working as expected before dealing with Intune or any other MDM. If you are using EZCA, first you will want to enable self service certificates and manually create a certificate, once you have created the certificate and installed it in your user store, you can test the wifi authentication using the certificate.

How to Troubleshoot Certificate Authentication in EZRADIUS

The best way to troubleshoot certificate authentication in EZRADIUS is to check the logs. You can do this by going to the “Audit Logs” page in your EZRADIUS dashboard and filtering the logs by the user you are trying to authenticate. You can read more troubleshooting tips in our troubleshooting guide.

How to Connect Devices to Meraki Network with Entra ID Certificate Authentication

Now that you have setup your Meraki Network with RADIUS authentication, now you can distribute your certificates using Intune and automatically authenticate your users to the network. If you are not using certificates, you can follow this guide to setup your devices to authenticate with their Entra ID username and password.

How to Setup RADIUS Authentication for Wired Ethernet Authentication in Meraki Network

  1. Go to your Meraki Network Controller

  2. Click on Security & SD-WAN on the menu and the select Addressing & VLANs

    How to setup RADIUS authentication for wired ethernet authentication in Meraki network

  3. Scroll down to the Per-port VLAN Settings and select the port for which you want to enable authentication

    How to setup RADIUS authentication for specific port in Meraki network

  4. In the Configure MX LAN ports change the type to Access and set the Access Policy to 802.1x and enter the EZRADIUS server credentials and click on Update

    How to setup RADIUS authentication for specific wired port in Meraki network

  5. Save the changes

    Setup cloud RADIUS authentication for wired ethernet in Meraki network

Meraki RADIUS FAQs and Troubleshooting

Below are some common questions and troubleshooting tips for setting up RADIUS authentication in Meraki networks.

When setting up RADIUS in Meraki and testing the connection to the RADIUS server, what credentials should I use?

The credentials you use doesn’t really matter, as the authentication will fail anyway since Meraki uses legacy authentication (PEAP-MSCHAPV2) to do the test.

However, running the test will tell you whether your Meraki network can connect to EZRADIUS and if EZRADIUS responds. If EZRADIUS does not respond it is usually caused by two different reasons:

  1. You have a firewall rule blocking access to ports 1812 and 1813.
  2. The wrong public IP address is added to EZRADIUS. Check if the public IP address of your Meraki network is correctly added to the EZRADIUS allowed IP addresses list, and validate you aren’t running a VPN or other advanced network configuration that might change the public IP address.