Define RADIUS Server Objects to be reused across an organization's SSIDs.
This tool allows creating a configuration file with a list of SSIDs that need 802.1X-RADIUS configuration, a list of RADIUS authentication and RADIUS accounting servers, and a preference order for these servers in the SSIDs, which will then be propagated to your SSIDs in one of 3 methods:
- Single Network: Will provision any SSIDs matching the exact names defined in your configuration file, and will overwrite the RADIUS settings in them accordingly
- Tag-based: Will provision all networks tagged with a user-defined tag with any SSIDs matching the exact names defined in your configuration file, and will overwrite the RADIUS settings in them accordingly
- Template-based: Will provision a specified configuration template with any SSIDs matching the exact names defined in your configuration file, and will overwrite the RADIUS settings in them accordingly
- Active Cisco Meraki subscriptions in the orgs where the script will be run
- API access enabled for these organizations, as well as an API Key with access to them. See how to enable here
- A working Python 3.0 environment
- Install libraries in
requirements.txt
- Create SSIDs in the single-network, tagged-networks or configuration template that will exist in your Configuration file
- Tag any networks you want to operate on with a user defined tag
- Run the script
- Clone repo to your working directory with
git clone https://github.com/Francisco-1088/merakiRadiusObjects.git
- Edit
config.ini
- Add your API Key under
api_key
in line 2 - Add the Organization ID of the organization where you want to operate. You can find your Org ID easily by right clicking anywhere in the screen while logged in to your organization, and clicking "View Page Source". In the resulting page use "Find" to look for the keyword
Mkiconf.org_id
- Under
[target_networks]
set only one of the optionsuse_template
,use_tag
orsingle_network
toTrue
, and all others toFalse
- Specify
template_name
,network_tag
ornetwork_name
accordingly (i.e. if choosinguse_tag
asTrue
, then specify anetwork_tag
to follow - The specified names must match exactly the names of these networks, templates or tags in Dashboard
- If choosing to use tags, go ahead and tag your desired networks in Dashboard with the user defined tag
- For each RADIUS authentication server you need to use, create an entry in the form
[radius_auth_X]
, whereX
is a unique number (you can reuse the existing 3 in the sample file, and remove any unneeded ones). You may define as many as you need. Each of these must have an entry forhost
, which should be an IPv4 address,secret
andport
- For each RADIUS accounting server you need to use, create an entry in the form
[radius_acct_X]
, whereX
is a unique number (you can reuse the existing 3 in the sample file, and remove any unneeded ones). You may define as many as you need. Each of these must have an entry forhost
, which should be an IPv4 address,secret
andport
-
For each SSID you intend to modify, create an entry in the form
[ssid_X]
, whereX
should be a unique number. Each of these must contain aname
, a setting forauth_enabled
(whether to use RADIUS authentication), a setting foracct_enabled
(whether to use RADIUS accounting), a setting forauth_preference
which should be a comma separated ordered list of RADIUS authentication servers referencing those listed in the RADIUS Auth section, and a setting foracct_preference
which should be a comma separated ordered list of RADIUS authentication servers referencing those listed in the RADIUS Auth section -
The SSIDs must have
auth_enabled
set toTrue
, butacct_enabled
may be set toTrue
orFalse
. Ifacct_enabled
is set to True, thenacct_preference
cannot be set to None
-
The script will parse your configuration file and determine the list of
target_networks
it needs to operate on, depending on your settings -
It will then iterate through all of your networks and prompt you when it needs to modify or overwrite settings
-
The prompts only accept 'Y' or 'N', anything else will be interpreted as a negative input and the section will be skipped
-
The script will ONLY modify the RADIUS configuration of the SSID. If an SSID without WPA Enterprise configuration is chosen, the script will ask if you wish to set that SSID to WPA2 Enterprise, but all other settings will be preserved
-
SSID names, Network Names, Tag Names and Template Names MUST match exactly what you define in your configuration file for the script to work properly