How to Set Up VPN RADIUS Authentication for Meraki Gateway

With VPNs being used now more than ever, ensuring security while working remotely is of the utmost importance. You can improve your VPN security by using a RADIUS server to authenticate users. Even when users are working from home, authenticating with a RADIUS server is a strong defense against any potential credential theft threats.

You will be able to easily see authentication logs within the Cloud Management Portal and grant dynamic VPN access based on a user’s standing in the directory.

Below we will show how to configure your Meraki Gateway with Cloud RADIUS so you can provide VPN access easily to all your users. 

Requirements

  • Meraki Gateway AP
  • VPN Client
  • RADIUS Server and accompanying PKI

Getting Started 


Before setting up your VPN for RADIUS authentication, there are a few key things that must be configured properly to ensure that your network is prepared. 

SecureW2’s (Parent Company of Cloud RADIUS) onboarding solution eliminates the headaches that come from transitioning from passwords to certificate-based authentication. With certificate driven Wi-Fi, you no longer need to worry about the security risks that come with passwords, which account for a majority of security mishaps.

The PKI can be connected to Meraki Gateway using our straightforward Getting Started Wizard; simply follow the steps here and enjoy your network’s new security.

Tying Your Directory with Cloud RADIUS 

In order to grant VPN access based on a user’s standing in the directory, we need to tie our Identity Provider with our RADIUS server. We can easily do this by using SecureW2’s onboarding software. Historically, you were only able to connect a directory with a RADIUS server by using LDAP to communicate between Active Directory and the RADIUS server. Luckily, SecureW2’s onboarding software solves this issue and can integrate with any SAML or LDAP directory to verify users and enroll them for certificates they can use to authenticate.

To integrate a SAML-Based IDP, like G-Suite, Azure, or Okta, with SecureW2, follow these steps:

  1. From the SecureW2 Management Portal, go to Identity Management > Identity Providers.
  2. Click Add Identity Provider.
  3. For Name, enter a name.
  4. For Description, enter a description.
  5. Click the Type dropdown and select SAML.
  6. Click the SAML Vendor dropdown and select your SAML provider.
  7. Click Save.

A SAML application is a crucial connection between your IDP and SecureW2. The SAML application allows a user to enter their credentials, which are then passed to your IDP for verification. 

The IDP verifies the user’s identity and then sends attributes to the SAML application, which then passes the attributes to SecureW2 for certificate issuance. 

As an example, here are the steps to create a SAML application in Google: 

  1. From the Google Admin Console, click Apps, and then click SAML apps. 
  2. In the bottom-right corner of the screen, move your mouse over the yellow circle and click Enable SSO for a SAML Application.
  3. Click SETUP MY OWN CUSTOM APP
  4. Under Option 2, for IDP metadata, click DOWNLOAD. Save the metadata file(.XML) to your computer.
  5. From your SecureW2 Management Portal, go to Identity Management > Identity Providers.
  6. Click Edit for the IDP you created (GoogleSAML).
  7. Select the Configuration tab.
  8. Under Identity Provider (IDP) Info, for Metadata, click Choose File.
  9. In the prompt that appears, select the metadata file you saved to your computer. Click Upload
  10. Click Update
  11. Copy the ACS URL and EntityId to your clipboard or somewhere handy.
  12. Return to your Google SAML App setup.

Integrating Cloud RADIUS With Meraki VPN Gateway

Now that we have a way of tying our Identity Provider to our RADIUS server, it’s time to integrate our Meraki VPN Gateway with our Cloud RADIUS server by completing the following steps.

First, get the Cloud RADIUS server information from the SecureW2 management portal:

  1. Under Wireless, select Access control. 
  2. Under Network access, change it from the default value of Open (no encryption) to WPA2-Enterprise with “my RADIUS server”. 
  3. For the WPA encryption mode, select WPA2 only
  4. In the Splash page section, leave it set to None (direct access).

You can find the details about your Cloud RADIUS when you go to AAA Management and AAA Configuration. Here you will see a Primary IP Address, Secondary IP Address, Port Number and a Shared Secret.

Now you can configure your Meraki VPN Gateway with the Cloud RADIUS server information:

  1. Log on to the Cisco Meraki Dashboard and go to Configure > Client VPN.
  2. Select enable the Client VPN Server.
  3. Set the Client VPN Subnet. This will be a unique IP subnet offered to clients connecting to the MX Security Appliance via a Client VPN connection.
  4. Specify the DNS servers.
  5. Enter a shared secret that will be used by the client devices to establish the VPN connection. This is a different value from the RADIUS shared secret.
  6. Select RADIUS as the Authentication method.
  7. Click the Add a RADIUS Server link.
  8. Enter your Cloud RADIUS Host IP Address.
  9. Enter the Cloud RADIUS Port from the management portal that the MX Security Appliance will use to communicate to the Cloud RADIUS server.  
  10. Enter the Cloud RADIUS Shared Secret. 
  11. Click Save changes.

Conclusion

An organization’s risk of credential leaks and security breaches are drastically reduced with the use of certificate-based RADIUS authentication. Once the network is configured properly, you can rest easy knowing that your VPN is secure.

This setup can be completed in as little as a few hours, so while you have some extra time, check out our pricing page to see if SecureW2’s cloud-based solutions are right for you and your organization.

Related Post