Domain joined computer AUTH to wi-fi

Damian-UK
Comes here often

Domain joined computer AUTH to wi-fi

I am interested in a way to have either domain joined computers, or by MAC address to automatically authenticate to a SSID on the Meraki MR AP. I would prefer domain joined and would like to have the wi-fi access use SSO.

 

The user would then login to the computer using their domain credentials as their connection to wi-fi would already be active.

 

I am reluctant however to use Radius as I do not want to poke a hole through our firewall for this, and all of the connections to the wi-fi need to be encrypted.

 

Is this possible or am I asking too much ?

 

TIA

 

Damian

 

 

5 REPLIES 5
Bruce
Kind of a big deal

Re: Domain joined computer AUTH to wi-fi

The only way to achieve this style of ‘automated’ logon is with the Enterprise class of authentication (e.g. WPA2-Enterprise), which uses 802.1x, which in turn requires a RADIUS server.

 

You don’t need to be punching holes in the firewall for your RADIUS server, it runs inside your network (most likely Microsoft NPS on a Windows Server), and when the EAP Method/Tunnels are correctly configured it is secure. You can authenticate either users, or domain joined machines using username/password.

 

Using WPA2 all your WiFi connections will be encrypted, that’s part of the standard, it uses AES encryption.

 

Have a look through these documents to get you started, https://documentation.meraki.com/MR/Encryption_and_Authentication/RADIUS%3A_WPA2-Enterprise_With_EAP...and https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_RADIUS_Authentication_... 

Damian-UK
Comes here often

Re: Domain joined computer AUTH to wi-fi

Bruce,

 

thanks for your quick response. This is what led me to believe I needed a hole in our firewall: 

 

8027A7BF-A488-47E1-A385-4546C2134BCA.png

Bruce
Kind of a big deal

Re: Domain joined computer AUTH to wi-fi

That’s for if you configure it up with a Splash Page (captive portal), you don’t need to do authentication via a Splash Page as you can do it using WPA2-Enterprise within an organisation. Under Wireless -> Access Control, for the association requirements, select ‘Enterprise with’ and then change the drop down to ‘my RADIUS server’. That’s the start of configuring Enterprise authentication.

 

Then further down that page you enter the RADIUS server details.

ww
Kind of a big deal
Kind of a big deal

Re: Domain joined computer AUTH to wi-fi

There  is also a new option but im not familiar with this myself. 

 

https://documentation.meraki.com/MR/Encryption_and_Authentication/Meraki_Local_Authentication_-_MR_8...

Bruce
Kind of a big deal

Re: Domain joined computer AUTH to wi-fi

@ww, yep, it’s a nice new way to do LDAP auth. Discovered it a little while ago, and can see where it fits into the mix, but the ‘standard’ RADIUS is going to provide more flexibility as you can return a Filter-ID to apply a group policy. But the Local Auth option should be good where the link back to the user identity store isn’t reliable since it’s designed to cache credentials.

 

Hopefully Meraki can find a way to extend this using some other protocol (ROPC?) to Azure AD, for those people who use native Azure only.

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.