Meraki

Community

EAP-TTLS or PAP for Wired Port Security

brconflict
Here to help
‎Jun 1 2020 2:00 PM
‎Jun 1 2020 2:00 PM

EAP-TTLS or PAP for Wired Port Security

I've been campaigning for a working solution to how users Authenticate for wired port security, and it's sort deflating that the industry standard methods are simply not working for me me.

 

My goal: In my org, I have the desire to use Okta for a user-base, and to have all networks around the globe (all Meraki MS switches) to Auth users with Okta.

 

  • Okta doesn't support RADIUS MSCHAPv2 (Microsoft refuses to work with them, I'm told).
  • Meraki MS switches don't support EAP-TTLS or PAP RADIUS.
  • Okta supports a cloud-based RADIUS solution, but again, doesn't support MSCHAPv2, the only protocol Meraki does support.

 

My workaround: Since I need this global network to exist, and for my teams to onboard/offboard users as needed, meanwhile allow users to easily travel to our offices without hindrance, I'm having to provide:

 

  • Active Directory running NPS (RADIUS) at each location, or in AWS.
  • Authenticate wired port security users directly with each location's AD/NPS.
  • Use Okta agent and push-groups to push users and group assignments to each integrated AD.

 

Outlook: What are the chances Meraki will extend Authentication at wired ports to use EAP-TTLS, or to work with Okta on a real integration? Thanks!

 

 

10 Replies 10
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jun 1 2020 11:46 PM
‎Jun 1 2020 11:46 PM

>Meraki MS switches don't support EAP-TTLS or PAP RADIUS.

 

EAP encapsulates the authentication method inside itself - so the switch doesn't have to specifically support EAP-anything as the encapsulation means it will support EAP-everything.  So EAP-TTLS will be supported - because the switch doesn't see it - the TTLS bit is encapsulated inside of EAP.

To use EAP-TTLS you will need to explicitly configure your clients to use this specific type of authentication, and for your RADIUS server to support this.  Note that in the Microsoft desktop family - only Windows 10 supports EAP-TTLS.

 

A simpler approach - have you considered using certificate-based authentication (specifically EAP-TLS)?  Much simpler, it is widely supported by devices (including printers), and you can use simple Microsoft NPS.

In response to PhilipDAth
brconflict
Here to help
‎Jun 2 2020 6:56 AM
‎Jun 2 2020 6:56 AM

To be clear, RADIUS with MSCHAPv2 works fine for AD, which is the method we're using. The goal, ultimately is to remove AD altogether and use a single cloud-based solution. Okta is almost there, but without MSCHAPv2, it's simply not possible.

 

As for using MSCHAPv2 in SAMBA, I suspect there's a licensing challenge there since SAMBA is free (GNU), and Okta Authentication isn't. Perhaps they could build it into the package as value-add, but I suspect they would be naive to assume Microsoft wouldn't try to stop that if Okta is a competitor. I don't personally know the mechanics of that challenge they have, but their engineering team said they've not been allowed to employ it for whatever reason.

0 Kudos
In response to brconflict
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jun 2 2020 12:19 PM
‎Jun 2 2020 12:19 PM

Nope you can freely use and copy SAMBA.

https://www.samba.org/samba/docs/GPL.html 

 

0 Kudos
In response to PhilipDAth
brconflict
Here to help
‎Jun 2 2020 1:10 PM
‎Jun 2 2020 1:10 PM

If that's the case, I'm not fully understanding if/why Okta cannot or will not use it. I've worked on them for over a year in the hopes to get them to implement, but they've said it was not going to happen. We're researching other workarounds, which centralize AUTH, but allow Meraki wired 802.1x to work with it.

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jun 1 2020 11:47 PM
‎Jun 1 2020 11:47 PM

>Okta doesn't support RADIUS MSCHAPv2 (Microsoft refuses to work with them, I'm told).

 

They don't need Microsoft to work with them.  They could copy they MSCHAPv2 code out of the very popular open-source SAMBA package.

0 Kudos
tboo
New here
‎Jun 16 2020 4:34 PM
‎Jun 16 2020 4:34 PM

+1 would love to see this sort of functionality - exciting that its coming to the wireless side of things - but really need it for our switches/wired access as well.

0 Kudos
ashwiniyer
Just browsing
‎Sep 13 2022 7:11 PM
‎Sep 13 2022 7:11 PM

Hi All,has there been any change to this or Meraki MS still dont support EAP-TLS?

0 Kudos
In response to ashwiniyer
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Sep 13 2022 7:16 PM
‎Sep 13 2022 7:16 PM

Meraki MS has always supported EAP-TLS.  I have a customer deployment using it.

0 Kudos
In response to PhilipDAth
brconflict
Here to help
‎Sep 14 2022 5:41 AM
‎Sep 14 2022 5:41 AM

How many users? Are they all using the same certificate, or are they generating certs for individual users?
In my org, we have thousands of users all over the globe.

0 Kudos
In response to brconflict
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Sep 14 2022 11:56 AM
‎Sep 14 2022 11:56 AM

Maybe 300 users using per-user certificates.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.