Meraki

thomasthomsen

Customer wants to have all their students in an Entra External ID, so they can set up the students, as a username, with their own current private email address, like somethingsomething@yahoo.com or whatever email you might privately have.

This would provide them with some better support options, when the students use the schools Microsoft products (as far as I understand).

But can you do EAP-TTLS with those users on Access-Manager ?
I do not think this it is possible to do this kind of "authentication" using Access-Manager, or ISE for that matter, towards an Entra External ID. - But do anyone know for sure ?

Currently, as a test, we have setup access-manager towards this "Entra External ID", and I do get all the groups and users listed when i do a sync. But I can never connect.

Access-manager just says "Failure/ Rejection info: Reason : An unexpected server error occurred." - That does not help a lot 🙂

And logs from the "Entra External ID" side ? - Well, said like Nate Bargatzes George Washington on SNL - "nobody knows".

But as mentioned , do anyone know if this is possible , and what could I be missing ?

Thanks

Thomas

Ryan_Miles

Deleted

thomasthomsen

Yeah, thats the guide we usually follow. - So you would be accurate in "thats what we are describing".
And it of course works other places where we have setup Access-Manager towards Entra (no-External) ID.
But have you setup this in your lab for Entra External ID or just Entra ID ?
https://learn.microsoft.com/en-us/entra/external-id/external-identities-overview

I think, from what I have been able to gather, that there is something about sending an unencrypted password (inside the EAP) to the Entra External ID that is not allowed (a microsoft thing ?) .. or something to that fact.

No, I have not created a support case on this, I unfortunately do not have the time (in this case). - Sorry.

Ryan_Miles

Ah, didn't notice the Entra External ID part. Don't think that is supported currently.

thomasthomsen

Yeah ... And I dont think that is supported on ISE either (and that would have been my first choice for authentication "engine", so to speak).
At least I cannot find any information on it regarding Cisco ISE (or for that matter Aruba Clearpass, so .... ).

rhbirkelund

Access Manager is not supported with Entra External ID.

We had a customer who'd been looking into this, and according to Cisco, it is not supported.

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.

thomasthomsen

Yeah and I think ISE is the same thing. As far as I know. 😕

PhilipDAth

This is my best guess. I am not hopefull that it will work.

I think you would need to edit the external user in Entra and change them from being a "guest" to a "member". This will cause Entra to treat them like a standard "internal" user.

Next, I think you will need to use EAP-TLS.

The password for an external user is only stored in the "home" authentication environment, so you would not have access to it for the authentication. However, a certificate issued from your environment that includes their username would be trusted.

Going sideways, have you considered using the Splash Access student enrollment system? It is purpose-built for this exact problem.

https://www.splashaccess.com/portfolio/education/

thomasthomsen

I think you are right here about the way the passwords are stored, and that is why you cannot do EAP-TTLS. - Thanks for, what I consider, confirmation 🙂

EAP_TLS would be a nightmare in this scenario Im affraid 🙂

The customer has some, fun requirements, about onboarding should be easy, and then they want "credentials stored".
I mean, sure, in theory you could "store" your credentials in the browser for the splash-login page on an open (OWE) network, but the end-user would have to login more times (citation needed), because of mac-randomization.

Splash-access "dorm" solution using iPSK is really nice, a good interface (like Cisco really should build into ISE for iPSK with Radius). But iPSK without radius does not work with WPA3, and we really want WPA3 (because of 6Ghz). Of course WPA3 iPSK with Radius should work, but then we come back to students needing to find their mac-address, and .... from what I can tell, they are not capable of such things, and it would give a large workload on their support team.

We could fairly easy provide the students with a onboarding script WLAN profile for windows and MAC computers, and then use EAP-TTLS (where the client would then of course store the credentials), and for mobile devices use TOFU. But EAP-TTLS is off the table because of Entra External ID.

iPSK without radius regardles of WPA3 , would still be easy for the dorms, and "ok".

But for the actual education sites, Im thinking (right now, because of the above requirements), WPA3-SAE for the "base" student SSID (so that the device does not change its mac), and then a splashpage.

Is this a annoying solution, yes .... yes it is ... but its perhaps the only thing thats possible giving the customers requirements and their ... "obsession" of using Entra External ID for students.

Of course we could also just go plain WPA3-SAE, and not needing "identity" ... would be the easiest 🙂

Thanks to all for your replies.

Thomas

PhilipDAth

https://documentation.meraki.com/Wireless/Design_and_Configure/Configuration_Guides/Encryption_and_A...

thomasthomsen

Yes I was also thinking about that, and perhaps that would actually work with Entra External ID, because its another kind of "request" then Radius.
But I would have to setup some security in order to prevent the device from changing its MAC address. So Im still thinking WPA3-SAE and then this splashpage.

Meraki

Community

Access-Manager and Entra External ID ?

Access-Manager and Entra External ID ?