I am interested in a way to have either domain joined computers, or by MAC address to automatically authenticate to a SSID on the Meraki MR AP. I would prefer domain joined and would like to have the wi-fi access use SSO.
The user would then login to the computer using their domain credentials as their connection to wi-fi would already be active.
I am reluctant however to use Radius as I do not want to poke a hole through our firewall for this, and all of the connections to the wi-fi need to be encrypted.
The only way to achieve this style of ‘automated’ logon is with the Enterprise class of authentication (e.g. WPA2-Enterprise), which uses 802.1x, which in turn requires a RADIUS server.
You don’t need to be punching holes in the firewall for your RADIUS server, it runs inside your network (most likely Microsoft NPS on a Windows Server), and when the EAP Method/Tunnels are correctly configured it is secure. You can authenticate either users, or domain joined machines using username/password.
Using WPA2 all your WiFi connections will be encrypted, that’s part of the standard, it uses AES encryption.
That’s for if you configure it up with a Splash Page (captive portal), you don’t need to do authentication via a Splash Page as you can do it using WPA2-Enterprise within an organisation. Under Wireless -> Access Control, for the association requirements, select ‘Enterprise with’ and then change the drop down to ‘my RADIUS server’. That’s the start of configuring Enterprise authentication.
Then further down that page you enter the RADIUS server details.
@ww, yep, it’s a nice new way to do LDAP auth. Discovered it a little while ago, and can see where it fits into the mix, but the ‘standard’ RADIUS is going to provide more flexibility as you can return a Filter-ID to apply a group policy. But the Local Auth option should be good where the link back to the user identity store isn’t reliable since it’s designed to cache credentials.
Hopefully Meraki can find a way to extend this using some other protocol (ROPC?) to Azure AD, for those people who use native Azure only.