802.1X access policies - Radius and/or o365 AD with MFA

Here to help

802.1X access policies - Radius and/or o365 AD with MFA

This might be more of a feature request. Microsoft has a huge initiative to move their own internal AD to AzureAD, we well as we are moving clients to AzureAD.   (Our organization including).   We have also enabled MFA (multi factor) authentication for clients too added security. 


It would be nice if Meraki would support Azure AD for authentication or a simple combination of a way to use a RADIUS/Azure AD (with MFA support).   


We've looked at some 3rd party RADIUS providers that have support for Azure AD - but the MFA/2FA seems to be issues. 


Ideally we'd like to use 8021.X for both enterprise WiFi access and switch port access for Windows 10 devices connected directly to the switch.


Thanks for any feedback, comments, real-work experience, thoughts. Thanks! 


Kind of a big deal

Using 2FA for 802.1x would be really painful.


Take WiFi for example; if you are not using fast roaming or 802.11r you could potentially be asked for 2FA authentication everytime you roam between access points.  On the wired side you could be asked to 2FA everytime your machine rebooted.


If you really want that I think you might be better of using certificate based authentication with 802.1X and roll out a PKI solution.

I agree if it prompted over and over wouldn't be useful, but

When we use MFA/2FA with other applications like Outlook, Skype for Business, or other website resources they don't re-prompt for MFA until a policy timeout period (30 days, etc).       To me it seems the world is heading this direction, why not wireless authentication (or at least for a period of policy timeout).  


Microsoft's RADIUS Network Policy server supports RADIUS with MFA,


VPN integration with Azure MFA using NPS extension | Microsoft Docs

  1. The VPN server receives an authentication request from a VPN user that includes the username and password to connect to a resource, such as a Remote Desktop session.
  2. Acting as a RADIUS client, VPN server converts the request to a RADIUS Access-Request message and sends the message (password is encrypted) to the RADIUS (NPS) server where the NPS extension is installed.
  3. The username and password combination is verified in Active Directory. If the username / password is incorrect, the RADIUS Server sends an Access-Reject message.
  4. If all conditions as specified in the NPS Connection Request and Network Policies are met (for example, time of day or group membership restrictions), the NPS extension triggers a request for secondary authentication with Azure MFA.
  5. Azure MFA communicates with Azure Active Directory, retrieves the users's details, and performs the secondary authentication using the method configured by the user (text message, mobile app, and so on).  (I assume this secondary authentication could be configured, as to when and what rules it should ask)
  6. Upon success of the MFA challenge, Azure MFA communicates the result to the NPS extension.
  7. After the connection attempt is both authenticated and authorized, the NPS server where the extension is installed sends a RADIUS Access-Accept message to the VPN server (RADIUS client).
  8. The user is granted access to the virtual port on VPN server and establishes an encrypted VPN tunnel.




We are also using Azure AD and I made this wish (Meraki supporting Azure AD authentication) a few months ago... in the meantime I developed a suitable solution to support Azure AD authentication on our wifi network. Check the post here: https://community.meraki.com/t5/Wireless-LAN/Configure-a-splash-EXCAP-with-with-sign-on-in-Azure-AD/...


A quick update to.. We've developed a click-thru webapp that uses graph API to seamlessly login the user (SSO to O365), authorize to the meraki, and then redirect the user to their original page.  


By setting the duration of the authorization in the Meraki dashboard you can have it re-authorize every 90 days for example or revoke the authorization manually.


If there is enough interest, we'll polish the solution up and provide it as either source code or a possible service if there is enough interest. Let me know. Thanks!



Building a reputation

Was this ever polished up by chance?



Is this click-thru webapp available anywhere?



Kind of a big deal

I try and avoid 2FA as far as reasonable possible, because it causes endless headaches on a day to day basis once deployed. Fortunately, developments in technology have made it simple to drop 2FA without giving up on security. I used to have a separate  PINsentry for each of my bank accounts, but haven't used them since I set up banking apps on smart devices, and now we have the likes of Windows Hello and are spoiled for choice for USB  fingerprint readers. So a combination of biometrics, a password manager and certificates delivers a seamless authentication and authorisation process.

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.