Cisco Meraki

Cisco Meraki Integration

Configure your Cisco Meraki wireless network to authenticate users with NetKey RADIUS for IPSK with RADIUS authentication.

Meraki IPSK with RADIUS

Meraki supports Identity PSK with RADIUS lookup, allowing unique PSKs per device with centralized management through NetKey.

Prerequisites

  • Meraki MR access points with current firmware
  • Meraki Dashboard access (Network Admin or higher)
  • Network connectivity between Meraki and NetKey RADIUS
  • NetKey Group configured with RADIUS secret
Finding Your RADIUS Server Details

Log in to app.netkey.noSettings → RADIUS Clients to find your RADIUS server IP/hostname and create a shared secret for your Meraki network.

Firewall Consideration

Meraki APs communicate with RADIUS from the cloud. Ensure your firewall allows inbound RADIUS from Meraki's cloud IP ranges. Check Meraki documentation for current IP ranges.

Dashboard Configuration

Step 1: Add RADIUS Server

1

Log in to the Meraki Dashboard

Navigate to Wireless → Configure → Access control

2

Select your SSID from the dropdown at the top.

3

Scroll to RADIUS servers section.

Click Add a server and configure:

Host your-radius-server
Port 1812
Secret Your NetKey RADIUS secret
4

Optionally add RADIUS accounting server:

Host your-radius-server
Port 1813
Secret Same as authentication

Step 2: Configure SSID for IPSK

5

In Security section, select:

Security mode WPA2-Enterprise with my RADIUS server

Note: For IPSK, you'll use MAC-based authentication which Meraki handles via RADIUS.

6

Or for Identity PSK with RADIUS, select:

Security mode Identity PSK with RADIUS

This option may require specific licensing and firmware version.

Step 3: Configure MAC-based RADIUS

7

In the RADIUS section, enable:

MAC-based access control Enabled
RADIUS attribute specifying group policy name Filter-Id (if using)
8

Click Save at the bottom of the page.

IPSK with RADIUS

For Identity PSK with RADIUS lookup, configure as follows:

Dashboard Settings

1

Navigate to Wireless → Configure → Access control

Select your SSID and set:

Association requirements Identity PSK with RADIUS
WPA encryption mode WPA2 only

How IPSK Works with Meraki

  1. Client connects to SSID with their unique PSK
  2. Meraki sends MAC address to NetKey RADIUS
  3. NetKey looks up the endpoint and returns the PSK
  4. Meraki validates the PSK against the returned value
  5. Client is granted access with appropriate VLAN
RADIUS Attribute

NetKey returns the PSK in the Tunnel-Password attribute for Meraki IPSK authentication.

VLAN Assignment

Meraki supports dynamic VLAN assignment from RADIUS.

Enable VLAN Tagging

1

Navigate to Wireless → Configure → Access control

In Addressing and traffic section:

Client IP assignment Bridge mode
VLAN tagging Use VLAN tagging
2

In RADIUS section, enable:

RADIUS override Enabled

This allows RADIUS to override the default VLAN.

RADIUS Attributes

NetKey returns these attributes for VLAN assignment:

RADIUS Response 
Tunnel-Type = VLAN
Tunnel-Medium-Type = IEEE-802
Tunnel-Private-Group-ID = "100"

Group Policies

Apply Meraki Group Policies based on NetKey authentication.

Create Group Policy

1

Navigate to Network-wide → Configure → Group policies

Click Add a group and configure your policy.

Note the policy name for RADIUS configuration.

RADIUS Assignment

NetKey can assign Group Policies using the Filter-Id attribute:

RADIUS Response 
Filter-Id = "Guest-Policy"
Policy Name Match

The Filter-Id value must exactly match a Group Policy name in your Meraki Dashboard (case-sensitive).

Testing & Verification

Test RADIUS Connectivity

1

Navigate to Wireless → Configure → Access control

In RADIUS servers section, click Test next to your server.

Meraki will attempt to connect and display the result.

Monitor Client Connections

1

Navigate to Wireless → Monitor → Clients

View connected clients and their authentication status.

View Event Log

1

Navigate to Network-wide → Monitor → Event log

Filter by "802.1X" or "RADIUS" to see authentication events.

Troubleshooting

  • Verify RADIUS server IP and port are correct
  • Check RADIUS secret matches exactly (case-sensitive)
  • Ensure firewall allows Meraki cloud IPs to reach RADIUS
  • Check NetKey logs for connection attempts
  • Verify UDP 1812/1813 is open
  • Check endpoint exists in NetKey with correct MAC
  • Verify endpoint group has PSK configured
  • Check NetKey Auth Logs for rejection reason
  • Ensure MAC format matches (Meraki uses XX:XX:XX:XX:XX:XX)
  • Verify RADIUS override is enabled on SSID
  • Check VLAN tagging is configured
  • Ensure VLAN exists and is allowed on AP ports
  • Verify NetKey is returning Tunnel-Private-Group-ID
  • Verify Group Policy exists with exact name
  • Check Filter-Id is being returned by NetKey
  • Ensure RADIUS attribute is enabled in dashboard
  • Policy names are case-sensitive