Cisco Meraki setup guide

MS switches, MR access points

Applies to: Meraki is entirely dashboard-configured. There is no CLI to paste. The same Arbiter configuration is applied across switches and APs via the Dashboard UI. Sections below list the exact dashboard paths and field values.

Wired — RADIUS server, 802.1X and MAB

Switch -> Access policies -> Add an access policy.

Name:                  Arbiter 802.1X
Authentication method: my RADIUS server
RADIUS servers:
  Server #1  Host: 10.10.10.10  Port: 1812  Secret: ARBITER_PSK
  Server #2  Host: 10.10.10.11  Port: 1812  Secret: ARBITER_PSK
RADIUS testing:        enabled
RADIUS CoA support:    enabled  (port 3799)
RADIUS accounting:     enabled
  Server #1  Host: 10.10.10.10  Port: 1813  Secret: ARBITER_PSK
  Server #2  Host: 10.10.10.11  Port: 1813  Secret: ARBITER_PSK
Host mode:             Multi-auth
Access policy type:    802.1X
Guest VLAN:            <fallback VLAN id>
Voice VLAN clients:    Bypass authentication

Apply to ports:  Switch -> Switch ports -> select access ports
                 -> Policy: Arbiter 802.1X

Wireless — 802.1X SSID

Wireless -> Configure -> Access control -> choose SSID.

SSID:                  Corp
Association:           WPA2-Enterprise with my RADIUS server
RADIUS servers:
  Server #1  Host: 10.10.10.10  Port: 1812  Secret: ARBITER_PSK
  Server #2  Host: 10.10.10.11  Port: 1812  Secret: ARBITER_PSK
RADIUS testing:        enabled
RADIUS CoA support:    enabled
RADIUS accounting:     enabled  (same two servers, port 1813)
Splash page:           None
VLAN tagging:          RADIUS override

Guest SSID — open with captive portal redirect

Open SSID with MAC-based access control, no Meraki-hosted splash. Arbiter returns the redirect URL.

SSID:                       Guest
Association:                Open
Network access:             MAC-based access control (no encryption)
RADIUS servers:             both Edges as above
Splash page:                Click-through -> Custom-hosted by Cisco Meraki -> unchecked
                            (Meraki passes through the redirect URL returned by RADIUS)
Walled garden:              add acme-7f3-guest.arbiter.ie

Arbiter returns on the open-SSID Access-Accept:
  Cisco-AVPair = url-redirect-acl=GUEST-REDIRECT
  Cisco-AVPair = url-redirect=https://acme-7f3-guest.arbiter.ie/

DHCP relay to Edge

Meraki MX or MS layer-3 SVIs — Security & SD-WAN -> Addressing & VLANs (MX), or Switch -> Routing & DHCP -> Interface (MS).

DHCP handling:  Relay DHCP to another server
DHCP servers:   10.0.0.5     (real DHCP)
                10.10.10.10  (Edge #1)
                10.10.10.11  (Edge #2)

AAA dead-server detection

Meraki exposes RADIUS testing as a single toggle. When enabled, the dashboard probes both servers every few minutes and the device fails over against the probe state. Leave it enabled. The Meraki dashboard manages dead-criteria and deadtime internally; the Portnox-style 30s/4-tries/3-minute knobs are not directly tunable but the cloud-managed timers behave equivalently in practice.

Access policy -> RADIUS testing: enabled
(no further tunables; dashboard manages dead-criteria and deadtime internally)

CoA listener

Enabled by the 'RADIUS CoA support' toggle in the access policy. Listens on UDP/3799 from both Edge IPs.

Access policy -> RADIUS CoA support: enabled