Meraki NPS Radius Authentication deny non domain joined devices

Comes here often

Meraki NPS Radius Authentication deny non domain joined devices


We have setup Meraki NPS Radius Authentication and it works like it should the only issue that non domain joined devices are able to connect to the radius SSID as we are giving out certificate automatically. What's the best solution to block non domain joined devices? If you have detailed steps would greatly appreciate that.


Kind of a big deal

Configure group policy to deploy certificates from an enterprise CA to each machine.  Configure a group policy to perform machine-based authentication.

Configure NPS to only do certificate-based authentication and restrict the user to "Domain Computers".


We are using users based authentication to allow only certain OUs to have access to WiFi. Can it be configured at the same time with machine-based authentication?

The process for JumpCloud would be:

1 import AD users into JumpCloud

2. Create a group and add the users who should have access to the WiFi

3. Go to RADIUS and setup RADIUS and assign the group to the RADIUS Configuration.

4. Setup SSID to use Enterprise with my RADIUS server and enter in the information for JumpCloud's RADIUS servers


PM me if you want more information about JumpCloud.







Dave Anderson

Let me get a little more specifics.

Right now we have configured NPS to authenticate with AD Users that are part of a certain Domain Group. And in our case laptops that are not part of the domain are still able to use the same AD credentials and login to the same corporate WiFi and we are trying to stop that and have only domain joined devices able to connect to the corporate WiFi. How can we authenticate only certain users OUs and to only domain joined devices ?

Use certificate-based authentication, and create an AD group of who is allowed access, and configure NPS to restrict access to that group.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.