EAP Termination in Meraki APs?

fjulianom
Getting noticed

EAP Termination in Meraki APs?

Hi guys,

 

I wonder how Meraki APs handle the EAP-PEAP authentication with RADIUS. In EAP-PEAP authentication, first the RADIUS server authenticates against the user sending a certificate to him, and then the user authenticates with his username and password against the RADIUS server.

I am new in Meraki, but other vendors such as Aruba, have a feature called AP termination or EAP offload. With EAP offload disabled, the RADIUS server sends a certificate to the user in order to authenticate itself and then the user authenticates with his credentials. But when the RADIUS server doesn't have a certificate for authenticating or you don't want to use that certificate for any reason, you can enable EAP offload. When enabled, the AP itself acts as the authentication server, the AP terminates the outer layers of the EAP protocol, only relaying the innermost layer (credentials) to the external RADIUS server. This feature can be enabled or disabled just with a click. But I don't see this feature in the Meraki Dashboard, so I don't know if Meraki APs can act as the authentication server, if they cannot, or if there is some default. Can you help me?

 

Regards,

Julián

14 REPLIES 14
Adam
Kind of a big deal

I assume your ultimate goal is to have the users/computers authenticate against your RADIUS server correct?

 

Some documentation on your wifi offload stuff here https://documentation.meraki.com/MR/Encryption_and_Authentication/EAP-SIM_with_MR_Access_Points

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
fjulianom
Getting noticed

Hi Adam,

 

I assume your ultimate goal is to have the users/computers authenticate against your RADIUS server correct?

 

Yes, you are correct.

 

Some documentation on your wifi offload stuff here https://documentation.meraki.com/MR/Encryption_and_Authentication/EAP-SIM_with_MR_Access_Points

 

But it talks about EAP-SIM, I use EAP-PEAP.

 

Regards,

Julián

Adam
Kind of a big deal

We do EAP-TLS

 

Basically, we set up one of our Win servers as an NPS server with this configuration https://documentation.meraki.com/MR/Encryption_and_Authentication/RADIUS%3A_Creating_a_Policy_in_NPS...

 

Then we use GPO to push the SSID information to the clients with autoconnect.  Although this step isn't technically required it just makes connecting a little more transparent since your users won't need to know the SSID or the PW. 

 

Then on the Meraki AP SSID you just point it to your NPS server IP with valid credentials and the users computer or domain user authentication will get passed to the NPS server for validation.  That will determine if your user can connect or not.  The AP, more or less, acts as a relay.  

 

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
fjulianom
Getting noticed

Hi Adam,

 

Sorry, before I meant EAP-PEAP and not EAP-TLS (edited), but basically is the same since in both cases the server must authenticate againts the user.

 

Don't get me wrong, some time ago I have implemented a network using Meraki APs and the users are using their credentials to connect to the Wi-Fi network, they use EAP-PEAP, and it works fine. The RADIUS server has a certificate, but because I don't have access to that network, I don't know when the users connect to the Wi-Fi network, they receive the RADIUS certificate or the Meraki APs certificate (I don't know if this is possible). Or in other words, if the RADIUS server doesn't have a certificate, can the Meraki APs act as the authentication server and provide the certificate? Or just that scenario won't work? This is possible with the EAP offload feature in Aruba, I don't know in Meraki...

 

Regards,

Julián

Adam
Kind of a big deal

All of the certificate control should/would be done via the RADIUS/NPS server.  Otherwise, you are basically looking to use the Meraki AP as a Man in the Middle.  Can the person(s) that manages the RADIUS make changes needed for you?  I believe the function you are using is when clients have and use a certificate to authenticate?  Which is basically similar where the Meraki AP just forwards the request to the RADIUS server.  Are you looking for a way to still allow your users to authenticate if they don't have a valid certificate? 

 

Sorry for all the questions, I'm just trying to fully understand what you are trying to accomplish so I can come up with a best practice.  

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
fjulianom
Getting noticed

Hi Adam,

 

Can the person(s) that manages the RADIUS make changes needed for you?

 

But I don't need any change, as I said, the RADIUS server has a certificate, so can I assume the clients are receiving that certificate?

 

I believe the function you are using is when clients have and use a certificate to authenticate?

 

No, in that network I don't need the users authenticate with certificate, just with username and password (PEAP).

 

I think the best way to prove that is setting up a lab with a RADIUS server without certificate and try if the users can authenticate or not. If they can't, it means the APs can't act as the authentication server and the RADIUS server MUST have a certificate.

But right now I remember when I implemented that network the users could authenticate with the primary RADIUS server but not with the secondary one (there are two servers for redundancy purposes), and the problem was the secondary server didn't have a certificate. The problem was solved once I installed the certificate in the server. I open a thread in this community, look at this:

 

https://community.meraki.com/t5/Wireless-LAN/Wi-Fi-RADIUS-Authentication-failed/td-p/11676

 

So I guess the Meraki APs don't have that EAP offload feature.

 

Regards,

Julián

DCooper
Meraki Alumni (Retired)
Meraki Alumni (Retired)

EAP offloading terminates the EAPOL process onto the Aruba controller. If we supported EAP offloading you would have to upload a certificate to every AP, which isn't scaleable. We do support Meraki authentication where we can auth PEAP/TLS from the cloud, TLS is done with Systems Manager and tags. https://documentation.meraki.com/MR/Encryption_and_Authentication/Meraki_Cloud_Hosted_Authentication

Hi,

 

EAP offloading terminates the EAPOL process onto the Aruba controller. If we supported EAP offloading you would have to upload a certificate to every AP, which isn't scaleable.

 

Maybe in Meraki, but that's not needed in Aruba since each AP uses its built-in certificate.

 

Regards,

Julián

DCooper
Meraki Alumni (Retired)
Meraki Alumni (Retired)

@fjulianom  Aruba controller imports the cert from the CA onto the controller to terminate the EAPOL process not the AP like your eluding to. Meraki APs do not have a controller to import to, thus the comment I made.Your not going to be able to use the Aruba issued cert from aruba on a AP to terminate the EAPOL process your Radius/PKI infrastructure. I think your getting the AP/controller communication based certificates mixed up with EAP offloading.

Hi,

 

Honestly I haven't used this feature with Aruba controllers, but I do have with Aruba Instant APs, where there is no physical controller. And I have used this feature without importing any certificate into the AP, and the APs have terminated the EAPOL process very fine. Obviosly the client gets a warning and must accept since doesn't have the certificate, but the client also gets a warning in case EAP offload is not used and it doesn't have the RADIUS certificate.

 

Regards,

Julián

DCooper
Meraki Alumni (Retired)
Meraki Alumni (Retired)

@fjulianomObviosly the client gets a warning and must accept since doesn't have the certificate, but the client also gets a warning in case EAP offload is not used and it doesn't have the RADIUS certificate. - This is only obvious when you don't have it setup correctly. When setup right there is no accepting a certificate from the client, I made the assumption this wasn't the case.

 

Makes sense now that your having the client manually accept the cert. Most people do not set it up this way for two reasons, security and they want it to be seamless to the end user. To make it seamless you push the server cert out to the clients via GP so they do not get the message your referring to.I can elaborate more on security but just keep in mind quite a bit of malware uses the same techniques on accepting a unknown cert. This is why most browsers have built in mechanisms to protect against certificates expired, unknown, etc.

 

If your clients are used to accepting the certificate and ok with it then the process doesn't change when you go to EAP offloading and don't push each APs cert out. If you did not want the clients to accept the certificate you could export all of the APs certificates and push them out.

 

 

Microsoft - https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/wireless/a-deploy...

 

See-

To successfully authenticate the NPS, the client computer must trust the CA that issued the NPS certificate. The client trusts this CA when the CA’s certificate is present in the Trusted Root Certification Authorities certificate store on the client computer.

If you deploy your own private CA, the CA certificate is automatically installed in the Trusted Root Certification Authorities certificate store for the Current User and for the Local Computer when Group Policy is refreshed on the domain member client computer. If you decide to deploy server certificates from a public CA, ensure that the public CA certificate is already in the Trusted Root Certification Authorities certificate store.

MRCUR
Kind of a big deal

I'm confusing by what you're trying to achieve here since you're already saying it's okay for the clients to get a warning about the server cert not being trusted. Since you're okay with that, then what's the issue with just having the RADIUS server present its cert to the clients instead of the AP's as you have done with Aruba in the past? 

 

I agree with @DCooper that you should avoid having clients manually accepting invalid (to them) certs if at all possible. If you have management of the devices connecting to your WiFi, then you should do everything possible to ensure they trust the cert you will present from the RADIUS server. I do understand this isn't generally feasible in a BYOD setup however. 

MRCUR | CMNO #12

Hi MRCUR,

 

I don't want to achive anything here, as I said at the beginning of the post I only wanted to know if Meraki has the EAP offload feature.

 

Regards,

Julián

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels