802.1x and NPC

Craig_Tompkins
Comes here often

802.1x and NPC

We currently have both MS and MR devices doing 802.1x authentication using Cisco ISE as our Radius server.  We authenticate domain joined devices with a domain controller CA cert (ie AD computer cert), devices that aren't domain joined such as printers we install an 802.1x cert that we created (same cert on multiple devices), Cisco phones use the MIC or LSC if the MIC has expired and then devices that don't support 802.1x we do MAC Address Bypass (MAB).

We have a simple setup.  If you pass 802.1x you get put in the data/voice vlan.  If you fail, the port is blocked.  No guest vlan, no BYOD.  We have under 500 endpoints.

My problem is that I HATE ISE.  I think for what we do it is overly complicated and overly expensive.

 

So I'm thinking about switching to Microsoft's Network Policy Server.  Can anyone relate pros vs cons on this change? How is troubleshooting failures done?

 

I've read over the Meraki docs for configuring NPS and while I have not clicked any buttons to follow along it seems to make sense. Has anyone followed a 3rd party configuration guide that might be even easier to follow?

 

Thanks in advance for any and all input.

4 REPLIES 4
PhilipDAth
Kind of a big deal

With Microsoft NPS:

  • You can perform wired 802.1x.
  • You can use certificate-based authentication.
  • For phones, you can configure the switch to drop them into a voice VLAN so they are not authenticated.
  • NPS doesn't support mac bypass very nicely.  You have to create an AD account with the username and password being equal to the MAC address.

 

Thanks Philip.

You mention wired 802.1x, but not wireless off the MR.  I'm pretty sure it can do both right?

 

As for MAB I'm ok with this setting.  I don't see it as any different than creating a MAB list in ISE except that it's stored in AD instead of ISE.  And actually that makes it easier as the helpdesk could create the user account in AD, but we don't give them access to ISE so I have to handle the MAB list myself.

I am working on setting up certificate authentication for devices that are domain joined, but I can't find a guide on how to setup a certificate authentication for something that is not domain joined.  For example, I have a cert created from my AD CA that I install on our Zero and Thin clients.  This cert has certain values of course.  In ISE I have a rule that if an 802.1x supplicant presents this cert to allow access.  I can't seem to find a way to add this cert to NPS and then create the allow rule for it.

Is this possible?  We are of course trying to limit the MAB list as small as possible - only for devices that can't present an 802.1x cert as a supplicant.

I have used this old HP guide for configuring 802.1x on HP printers for EAP-TLS authentication against Meraki MS switches and Microsoft NPS server.

http://h10032.www1.hp.com/ctg/Manual/c00731218 

 

Basically, you create a custom certificate temple in the Microsoft CA server with all the requirements, create a user in AD to load the certificate against, have the device generate a CSR, have the CA server sign that request as the user, and then install the certificate onto the device.

 

ps. I tend to setup the CA with a root certificate that is good for 20 years.  CA certificate roll over can be very painfull.

pps. I tend to change the certificate template so it can issue certificates for 10 or 20 years.  Then the certificate is valid for the entire lifetime of the IoT device and you don't have to bother with processing the renewals.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels