We are trying to create a scenario where we can control access to our primary LAN depending on whether a computer or user is "trusted" or "untrusted". We have Active Directory, so by default any computer that is part of the AD should be trusted. In addition, we need to be able to add other computers to the trusted computers group (eg for consultants). If a computer is not joined to the AD, or is not explicitly trusted, then it should be untrusted. Untrusted computers should get Internet access, but no access to the LAN. We have an MX64 with advanced security license, and also Meraki switches and Wireless APs. We need to be able to do this for both wired and wireless clients. Is this scenario possible? Thanks all for your help!
Yes. Ideally you would use 802.1x on wired and WiFi (can't do it on the MX directly). You drop authenticated users into the main VLAN and other users into the "guest" vlan. Ditto on WiFi (well rather, authenticated users can access the SSID and you use a separate SSID for guest users).
You will need to deploy the NPS server role. There is quite a bit of work involved.
With regard to switches:
For WiFi you would use WPA2-Enterprise mode (this even has an NPS walkthrough for WiFi):
Thanks Philip, much appreciated! This is RADIUS/NPS stuff is new to me, so trying to digest it all. Is my assumption correct that users would use their AD username and password to authenticate against the RADIUS/NPS server? If not, what username/passwords would they use?
Typically you configure PEAP for the outer layer and use MSCHAPv2 for the inner layer. If you do that, and it is a Windows AD joined machine, it will authenticate automatically as the logged in user without the user having to do anything.
+1 for what @PhilipDAth said. RADIUS would be your easiest route. You can add NPS to a windows server and configure 802.1x to send authorized devices to a trusted VLAN and non authorized devices to a guest VLAN on the Meraki side.