SSID RADIUS Servers Configuration

Dashboard Location: Wireless > Configure > SSIDs > Access Control > RADIUS Servers

Wireless SSID RADIUS Authentication and Accounting Management

SSID RADIUS servers configuration in Meraki wireless networks provides administrators with comprehensive Remote Authentication Dial-In User Service (RADIUS) integration capabilities for 802.1X enterprise authentication, network access control, user identity management, and accounting services. This functionality supports centralized authentication infrastructures, Active Directory integration, certificate-based authentication, network access control (NAC) policies, and comprehensive user activity logging. RADIUS integration is essential for implementing enterprise-grade wireless security, supporting bring-your-own-device (BYOD) policies, enabling role-based network access, and maintaining compliance with security standards and regulatory requirements in corporate and educational environments.

Diagram

Classes

ssids (meraki.domains.organizations.networks.wireless)

Name	Type	Constraint	Mandatory	Default Value
radius	Class	`[radius]`	No

radius (meraki.domains.organizations.networks.wireless.ssids)

Name	Type	Constraint	Mandatory	Default Value
name	String	min: `1`, max: `127`	No
local_radius	Class	`[local_radius]`	No
servers	List	`[servers]`	No
called_station_id	String	min: `1`, max: `127`	No
authentication_nas_id	String	min: `1`, max: `127`	No
server_timeout	Integer	min: `1`, max: `10`	No
server_attempts_limit	Integer	min: `1`, max: `5`	No
radsec_tls_tunnel_timeout	Integer	min: `1`, max: `32767`	No
failover_policy	Choice	`Allow access`, `Deny access`	No
load_balancing_policy	Choice	`Round robin`, `Strict priority order`	No
accounting_servers	List	`[accounting_servers]`	No
accounting_interim_interval	Integer	min: `1`, max: `360`	No
attribute_for_group_policies	Choice	`Airespace-ACL-Name`, `Aruba-User-Role`, `Filter-Id`, `Reply-Message`	No
override	Boolean	`true`, `false`	No
guest_vlan_id	Any	Integer[min: `1`, max: `4094`] or String[matches: `(?:[1-9]	[1-9][0-9]	[1-9][0-9]2
proxy	Boolean	`true`, `false`	No
testing	Boolean	`true`, `false`	No
fallback	Boolean	`true`, `false`	No
coa	Boolean	`true`, `false`	No
accounting	Boolean	`true`, `false`	No
guest_vlan	Boolean	`true`, `false`	No

local_radius (meraki.domains.organizations.networks.wireless.ssids.radius)

Name	Type	Constraint	Mandatory
cache_timeout	Integer	min: `1`, max: `86400`	No
password_authentication	Boolean	`true`, `false`	No
certificate_authentication	Class	`[certificate_authentication]`	No

servers (meraki.domains.organizations.networks.wireless.ssids.radius)

Name	Type	Constraint	Mandatory
host	String	min: `1`, max: `127`	Yes
port	Integer	min: `0`, max: `65535`	No
secret	String	min: `1`, max: `127`	No
open_roaming_certificate_id	Integer	min: `1`, max: `65535`	No
ca_certificate	String	min: `1`, max: `4096`	No
radsec	Boolean	`true`, `false`	No

accounting_servers (meraki.domains.organizations.networks.wireless.ssids.radius)

Name	Type	Constraint	Mandatory
host	String	min: `1`, max: `127`	Yes
port	Integer	min: `0`, max: `65535`	No
secret	String	min: `1`, max: `127`	No
ca_certificate	String	min: `1`, max: `4096`	No
radsec	Boolean	`true`, `false`	No

certificate_authentication (meraki.domains.organizations.networks.wireless.ssids.radius.local_radius)

Name	Type	Constraint	Mandatory
enabled	Boolean	`true`, `false`	No
use_ldap	Boolean	`true`, `false`	No
use_ocsp	Boolean	`true`, `false`	No
ocsp_responder_url	String	min: `1`, max: `1024`	No
client_root_ca_certificate	String	min: `1`, max: `4096`	No

Examples

Example-1: The example below demonstrates SSID RADIUS servers configuration.

This configuration defines RADIUS authentication and accounting servers for enterprise wireless security. The example includes server addresses, shared secrets, port configurations, and failover settings for centralized authentication and authorization.

The CORP SSID (SSID 0) is configured to use RADIUS authentication with advanced features enabled, including Change of Authorization (CoA), accounting, and fallback to secondary servers. RADIUS server timeouts are set to 5 seconds, with a maximum of 3 retry attempts, and accounting updates are sent every 360 seconds. The SSID also supports RADIUS testing, group policy override, and uses the Filter-Id attribute to assign group policies. RADIUS proxying is disabled. The Guest SSID (SSID 1) appears partially configured, using port 1813 with a shared secret from the environment variable radius_shared_secret, and RADSEC (RADIUS over TLS) is disabled. However, the configuration is incomplete as it’s missing higher-level radius structure and other required fields.

meraki:
  domains:
    - name: !env domain
      administrator:
        name: !env org_admin
      organizations:
        - name: !env org
          networks:
            - name: !env network_name
              product_types:
                - appliance
                - switch
                - wireless
                - camera
                - sensor
                - cellularGateway
              wireless:
                ssids:
                  - name: CORP
                    ssid_number: "0"
                    radius:
                      accounting_servers:
                        - host: 10.64.0.230
                          port: 1813
                          secret: cisco123
                          radsec: false
                      servers:
                        - host: 100.64.0.230
                          secret: abc123
                          port: 1812
                          radsec: false
                      called_station_id: 00-11-22-33-44-55:AP1
                      authentication_nas_id: 00-11-22-33-44-55:AP1
                      server_timeout: 5
                      server_attempts_limit: 5
                      # radsec_tls_tunnel_timeout: 600
                      # failover_policy: Deny access
                      # load_balancing_policy: Round robin
                      accounting_interim_interval: 5
                      attribute_for_group_policies: Filter-Id
                      # guest_vlan_id: 1
                        proxy: false
                        testing: true
                        server_timeout: 5
                        server_attempts_limit: 3
                        coa: true
                        fallback: true
                        override: true
                        accounting: true
                        accounting_interim_interval: 360
                        attribute_for_group_policies: Filter-Id