Configure Cisco Meraki to interoperate with Okta using RADIUS
This guide details how to configure Cisco Meraki wireless access points to use the Okta RADIUS Server Agent and EAP-TTLS.
For details of the flow between Okta, the RADIUS agent and Cisco Meraki see Cisco Meraki RADIUS integration flow.
Contact Okta Support to have EAP-TTLS support enabled for your Okta org.
- Before you begin
- Configure Cisco Meraki to interoperate with Okta using RADIUS
- Typical workflow
Before installing the Okta RADIUS Agent ensure that you have met these minimum requirements for network connectivity:
|Okta RADIUS Agent||Okta Identity Cloud||TCP/443
|Configuration and authentication traffic|
|Client Gateway||Okta RADIUS Agent||UDP/1812 RADIUS (Default, may be changed in RADIUS app install and configuration)||RADIUS traffic between the gateway (client) and the RADIUS Agent (server)|
Only a single Okta Verify device should be enrolled. Enrolling second and subsequent Okta Verify devices may cause undefined or unexpected behavior.
On using MFA with Cisco Meraki
Okta doesn't recommend using MFA with EAP-TTLS and it has been disabled by default in the Cisco Meraki RADIUS app policy.
While technically possible, MFA with EAP-TTLS may not work correctly due to:
- Timeout and retry configurations on the router and supplicants which cause several push requests to be sent unless the end-user accepts the first push notification quickly.
- Roaming between access points within a zone works with static passwords works as expected, but will result in MFA re-prompts unless Pairwise Master Key caching and Opportunistic Key caching are correctly configured to prevent RADIUS re-authentication.
|Download the RADIUS agent||
|Install the Okta RADIUS Agent.|
|Configure optional settings||