Calling-Station-ID: Contains the MAC address of the wireless device (all caps, octets separated by hyphens).You can use NAS-ID attribute instead, which by default carries NODE_MAC:VAP_NUM. Note: SSIDs broadcasted by repeater APs in a mesh deployment can't use NAS-IP-Address attribute because repeater APs do not have IP addresses assigned. Additional information is available for Calculating Cisco Meraki BSSID MAC Addresses . Note: BSSID MAC addresses will be different for each configured SSID. The following image provides a detailed breakdown of the PEAP with MSCHAPv2 association process: Keep in mind the AP is not responsible for authenticating wireless clients and acts as an intermediary between clients and the RADIUS server. Gateway APs need to receive a RADIUS Access-accept message from the RADIUS server in order to grant the supplicant access to the network.įor best performance, it is recommended to have the RADIUS server and gateway APs located within the same layer-2 broadcast domain to avoid firewall, routing, or authentication delays. This means the RADIUS server is responsible for authenticating users.ĪPs perform EAPOL exchanges between the supplicant and convert these to RADIUS Access-requests messages, which are sent to the RADIUS server's IP address and UDP port specified in Dashboard. The gateway APs (authenticator) role is to send authentication messages between the supplicant and authentication server. The supplicant (wireless client) authenticates against the RADIUS server (authentication server) using an EAP method configured on the RADIUS server.
WPA2-Enterprise with 802.1X authentication can be used to authenticate users or computers in a domain.