Hardware Authentication / WiFi without Systems Manager MDM
Is there a way to authenticate a user along with the hardware on WiFi (WPA2 Enterprise) without the device being enrolled in the Meraki MDM? We are unable to use the MDM at the feature-level it's currently at for both Windows and Mac OS users, but need to authenticate the user as well as the hardware device.
Yes, but it may not be easy depending on your requirements.
It all comes down to the capabilities of your client and RADIUS server (for the 802.1x authentication). Every RADIUS servers will support a single authentication method as part of the EAP process - this might be a username/password combination with PEAP-MSCHAPv2, or a certificate with EAP-TLS. And that authentication could be a user username/password, or a device username/password (for a AD registered device), or the certificate of a user or device.
It may be that to meet your requirements it’s sufficient to authenticate your device to the network (with a certificate or username/password depending on what is available) and then rely on the authentication of the user to access the server resources as the ‘secondary’ authentication.
If you want to actually authenticate both the device and the user with 802.1x (WPA2 Enterprise) then you need to use EAP chaining. The problem is there are very few clients and RADIUS servers that support it. Windows 10 does support TEAP for EAP chaining, or you could use a different supplicant installed on the client (e.g. Cisco AnyConnect) to support it. For a RADIUS server, Cisco ISE supports TEAP for EAP chaining, but I’m not aware of much support outside of this.
I’d tend to look just at the device authentication. If you’ve got the infrastructure and ability to do certificate-based authentication then have a look at that for everything. Otherwise I’d look at two SSIDs, one for the Meraki MDM managed devices, and one for the Windows devices which you can authenticate with computer username/password (assuming their domain joined) with NPS to provide the RADIUS service - and use GPOs to push the Wifi SSID details.
Thanks! It doesn't really solve my problem, so maybe Meraki would consider stepping up beyond the MDM/Sentry rule(s).
MFA: If a new user authenticates on the network each day, with a single MFA in a Splash Page, then the user can be "authenticated" through the day, free to roam. If a new device MAC address authenticates during the day, or another device on a separate AP or network authenticates as the same user, that new device is prompted for MFA.
Some tout that password expiry is a bad idea, because users tend to write down passwords. I disagree, because you never otherwise would know if your user/pass was ever compromised and may not manifest as a breach until years after the credentials were unwittingly compromised. Plus, when users, who typically write passwords down commit their first password, they may write that one down, anyway.
I would highly recommend to look in to CWA with Cisco ISE, what you are looking for can be done only by presenting the client with a splash page. Cisco ISE can be integrated with any supported and compatible MFA service provider and then use CWA process (Guest device compliance)
Thanks for the input. See, the problem with Cisco ISE is, it provides a host and wealth of other features we simply don't need. We're not going to Cisco ISE because it does "too much" and requires too much effort to set up to solve one simple problem. It would be cheaper and far simpler to use Meraki MDM with Sentry rules, but, the MDM won't co-exist with our approved MDM, unfortunately. Plus, the Meraki MDM price doesn't compete with our chosen options.