Meraki

Community

Wireless Authenication - removing PSK?

KevinCullen
Comes here often
‎May 27 2022 2:20 PM
‎May 27 2022 2:20 PM

Wireless Authenication - removing PSK?

Currently all of my SSID's have a PSK that everyone knows so I would like to move towards a more controlled method of authentication. My Consultant recommended we switch to radius and authenticate against active directory. My issue with this options is my staff/students can still bring in a personal device and use it on our networks that have access to servers etc. After doing some googling, I've only been able to find articles that say with radius you have to either use user or computer for authentication, not both. 

 

Does any one have any recommendations?

 

0 Kudos
2 Replies 2
KarstenI
Kind of a big deal
Kind of a big deal
‎May 28 2022 1:16 AM
‎May 28 2022 1:16 AM

First: This won't be the easiest project, and there are many "it depends":

  1. You can do both machine and user authentication and you can also enforce that the user-authentication has to be done on a computer that was previously authenticated as a machine. But this is not automatically the case, you need to enforce it on your RADIUS-server which also needs to support this. The used EAP-Method needs to EAP-FAST or TEAP.
  2. The more powerful/complex your authentication-requirements are, the more likely is that the Windows NPS will not do the job sufficiently. Cisco ISE is likely a good choice here.
  3. Differentiating Machine- from User-Authentication is only available on Windows. You need to define what to do with other operating systems like macOS, Linux, Chromebooks, iOS, Android ...
  4. You likely need a PKI and install the root-certificate on all devices and also enrol these devices with a certificate. This is for the devices that do not support EAP-FAST/TEAP. 
  5. If you haven't done this before, you should get a consultant to help you. There are so many things that can go wrong if done incorrectly.
  6. You also should think about iPSK where different groups or devices have different PSKs that can be rotated more easily to kick out old devices that you are not aware of any more.
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 29 2022 2:08 PM
‎May 29 2022 2:08 PM

@KarstenI has provided an excellent reply.  Note that (1) above can not be done by Windows NPS (the Windows RADIUS server).

 

In short, if you want to use only a Windows solution, you are going to have to use certificate-based authentication.

 

This is a guide to configuring everything using AD username/password authentication.  You can then layer certificate-based authentication on top of this.  If you are not sure, this might be a good first step to do, and then once you have it going, move on to the next step of certificate-based authentication.

https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_RADIUS_Authentication_... 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2024 Cisco Systems, Inc.