How to integrate RADIUS and MAC Authentication with Cisco Meraki
Introduction
This guide demonstrates the authentication process of devices based on their respective physical MAC addresses using Media Access Control (MAC). Once the source MAC address is identified, the switch generates an access-request message, with the user/machine’s MAC address as the identity, and sends it to the RADIUS server. The RADIUS server performs MAC authentication after getting the access-request message.
The RADIUS authentication server determines whether to grant access to the user/device and specifies the level of access the client should receive. After making this decision, the RADIUS server transmits the access-accept, allowing the user/machine to access the network.
If you are interested in setting up EAP-TLS Authentication, you can find the relevant instructions and resources at the following link: How to Set Up EAP-TLS WPA2-Enterprise With Meraki
Create a MAC Authentication Identity Provider in SecureW2
Follow the below steps to create an Identity Provider in JoinNow Management Portal and configure it for MAC Authentication:
- Log in to JoinNow MultiOS Management Portal.
- Navigate to Identity Management > Identity Providers.
- Click Add Identity Provider.
- In the Name field, enter a name for your IdP.
- In the Description field, enter a suitable description for your IdP.
- From the Type drop-down list, select MAC Authentication.
- Click Save.
- The page refreshes and displays the Configuration and Groups tabs.
- Select the Groups tab.
- Click Add group.
- On the displayed pop-up window, in the Name field, enter a name for your group.
- In the Description field, enter a suitable description for your group.
- Click Save.
- Select the Configuration tab.
- Click Add Device.
- On the displayed pop-up window, in the MAC Address field, enter the MAC address of the device that you want to authenticate.
- From the Group Name drop-down list, select the group name you created earlier.
- In the Description field, enter a suitable description for your device.
- Click Save.
- To add the details of multiple devices at the same time (bulk upload), click Upload Device(s).
- On the Upload Device(s) pop-up window, from the Group Name drop-down list, select the group you created earlier.
- In the File field, click Choose file to select the .csv file containing the MAC address of the devices.
NOTE: The MAC Address should be either in AA:BB:CC:DD:EE:FF or AA-BB-CC-DD-EE-FF format. - Click Upload.
- Click Update.
Set up Role policy and Network policy
JoinNow Management Portal offers policy-based management to facilitate VLAN-based segmentation. The policies to be configured are:
- Role Policy
- Network Policy
Create a Role Policy
A Roles policy grants a user access to defined resources. To add a Role policy, perform the following steps:
- Log in to the JoinNow MultiOS Management Portal.
- Navigate to Policy Management > Roles Policies.
- Click Add Role.
- In the Name field, enter a name for your role policy.
- In the Display Description field, enter a suitable description for your role policy.
- Click Save.
- The page refreshes and the Conditions tab is displayed.
- Select the Conditions tab.
- In the Conditions section, from the Identity Provider drop-down list, select the IdP you created with the MAC Authentication type.
- In the Attribute/Groups section, in the Attribute field, retain ANY.
- In the Groups field, select the group you created earlier (see the Create a MAC Authentication Identity Provider in SecureW2 section).
- Click Update.
Create a Network Policy
The purpose of a network policy is to specify how Cloud RADIUS will authorize access to a particular user role. To create and configure the Network policy, perform the following steps:
- Navigate to Policy Management > Network Policies.
- Click Add Network Policy.
- In the Name field, enter a name for your network policy.
- In the Display Description field, enter a suitable description for your network policy.
- Click Save.
- The page refreshes and displays the Conditions and Settings tabs.
- Select the Conditions tab.
- In the Conditions section, select Match All or Match Any based on your requirement to set authentication criteria. In the case explained here, we are selecting Match All.
- Click Add rule.
- Expand Identity and select the Role option.
- Click Save.
- The Role option appears under the Conditions tab.
- From the Role Equals drop-down list, select the role policy you created earlier (see the Create a Role Policy section).
- Select the Settings tab.
- Click Add Attribute.
- From the Dictionary drop-down list, select an option: Radius:IETF or Custom.
- From the Attribute drop-down list, select Filter-Id.
NOTE: Filter-Id is created on your access point to form a VLAN range. - In the Value field, enter the VLAN filter-ID you wish to connect to.
- Click Save.
Configure CISCO Meraki for VLAN
This section describes the steps to create a VLAN in CISCO Meraki and configure Meraki with SecureW2.
Configure the RADIUS server with CISCO Meraki
- Log in to the JoinNow Management Portal.
- Navigate to RADIUS > RADIUS Configuration.
- Copy the Primary IP address on your console.
Configure MAC-based RADIUS Authentication in Meraki
Follow the below steps to set-up MAC based Authentication using Meraki:
- Log in to the CISCO Meraki Portal.
- Navigate to Wireless > Access Control.
- Under Access control, from the SSID drop-down list, select your SSID.
- Under Network access, for Association requirements, select MAC-based access control (no encryption).
- Under Splash page, select None (direct access).
- In the RADIUS servers section, click Add a server.
- From the JoinNow MultiOS Management Portal (navigate to RADIUS > RADIUS Configuration), copy the values from Host IP, Port, and Secret and paste them in the Host, Port, and Secret fields in the Meraki.
- From the VLAN tagging drop-down list, select Use VLAN tagging.
- In the VLAN ID section, add your VLAN ID with AP tags.
- Scroll down to the bottom of the page and click Save Changes.