SSID RADIUS Servers Configuration

Dashboard Location: Wireless > Configure > SSIDs > Access Control > RADIUS Servers

Wireless SSID RADIUS Authentication and Accounting Management

SSID RADIUS servers configuration in Meraki wireless networks provides administrators with comprehensive Remote Authentication Dial-In User Service (RADIUS) integration capabilities for 802.1X enterprise authentication, network access control, user identity management, and accounting services. This functionality supports centralized authentication infrastructures, Active Directory integration, certificate-based authentication, network access control (NAC) policies, and comprehensive user activity logging. RADIUS integration is essential for implementing enterprise-grade wireless security, supporting bring-your-own-device (BYOD) policies, enabling role-based network access, and maintaining compliance with security standards and regulatory requirements in corporate and educational environments.

Diagram

Classes

ssids (meraki.domains.organizations.networks.wireless)

Name	Type	Constraint	Mandatory	Default Value
radius	Class	`[radius]`	No

radius (meraki.domains.organizations.networks.wireless.ssids)

Name	Type	Constraint	Mandatory	Default Value
name	String	min: `1`, max: `127`	No
local_radius	Class	`[local_radius]`	No
servers	List	`[servers]`	No
called_station_id	String	min: `1`, max: `127`	No
authentication_nas_id	String	min: `1`, max: `127`	No
server_timeout	Integer	min: `1`, max: `10`	No
server_attempts_limit	Integer	min: `1`, max: `5`	No
radsec_tls_tunnel_timeout	Integer	min: `1`, max: `32767`	No
failover_policy	Choice	`Allow access`, `Deny access`	No
load_balancing_policy	Choice	`Round robin`, `Strict priority order`	No
accounting_servers	List	`[accounting_servers]`	No
accounting_interim_interval	Integer	min: `1`, max: `360`	No
attribute_for_group_policies	Choice	`Airespace-ACL-Name`, `Aruba-User-Role`, `Filter-Id`, `Reply-Message`	No
override	Boolean	`true`, `false`	No
guest_vlan_id	Any	Integer[min: `1`, max: `4094`] or String[matches: `(?:[1-9]	[1-9][0-9]	[1-9][0-9]2
proxy	Boolean	`true`, `false`	No
testing	Boolean	`true`, `false`	No
fallback	Boolean	`true`, `false`	No
coa	Boolean	`true`, `false`	No
accounting	Boolean	`true`, `false`	No
guest_vlan	Boolean	`true`, `false`	No

local_radius (meraki.domains.organizations.networks.wireless.ssids.radius)

Name	Type	Constraint	Mandatory
cache_timeout	Integer	min: `1`, max: `86400`	No
password_authentication	Boolean	`true`, `false`	No
certificate_authentication	Class	`[certificate_authentication]`	No

servers (meraki.domains.organizations.networks.wireless.ssids.radius)

Name	Type	Constraint	Mandatory
host	String	min: `1`, max: `127`	Yes
port	Integer	min: `0`, max: `65535`	No
secret	String	min: `1`, max: `127`	No
open_roaming_certificate_id	Integer	min: `1`, max: `65535`	No
ca_certificate	String	min: `1`, max: `4096`	No
radsec	Boolean	`true`, `false`	No

accounting_servers (meraki.domains.organizations.networks.wireless.ssids.radius)

Name	Type	Constraint	Mandatory
host	String	min: `1`, max: `127`	Yes
port	Integer	min: `0`, max: `65535`	No
secret	String	min: `1`, max: `127`	No
ca_certificate	String	min: `1`, max: `4096`	No
radsec	Boolean	`true`, `false`	No

certificate_authentication (meraki.domains.organizations.networks.wireless.ssids.radius.local_radius)

Name	Type	Constraint	Mandatory
enabled	Boolean	`true`, `false`	No
use_ldap	Boolean	`true`, `false`	No
use_ocsp	Boolean	`true`, `false`	No
ocsp_responder_url	String	min: `1`, max: `1024`	No
client_root_ca_certificate	String	min: `1`, max: `4096`	No

Examples

Example-1: The example below demonstrates wireless SSID RADIUS servers configuration using tested YAML configuration from pipeline fixtures.

meraki:
  domains:
    - name: !env domain
      administrator:
        name: !env org_admin
      organizations:
        - name: !env org
          networks:
            - name: !env network_name
              product_types:
                - appliance
                - switch
                - wireless
                - camera
                - sensor
                - cellularGateway
              wireless:
                ssids:
                  - name: CORP
                    ssid_number: "0"
                    radius:
                      accounting_servers:
                        - host: 10.64.0.230
                          port: 1813
                          secret: cisco123
                          radsec: false
                      servers:
                        - host: 100.64.0.230
                          secret: abc123
                          port: 1812
                          radsec: false
                      called_station_id: 00-11-22-33-44-55:AP1
                      authentication_nas_id: 00-11-22-33-44-55:AP1
                      server_timeout: 5
                      server_attempts_limit: 5
                      # radsec_tls_tunnel_timeout: 600
                      # failover_policy: Deny access
                      # load_balancing_policy: Round robin
                      accounting_interim_interval: 5
                      attribute_for_group_policies: Filter-Id
                      # guest_vlan_id: 1
                        proxy: false
                        testing: true
                        server_timeout: 5
                        server_attempts_limit: 3
                        coa: true
                        fallback: true
                        override: true
                        accounting: true
                        accounting_interim_interval: 360
                        attribute_for_group_policies: Filter-Id