Office 365 authentication on Meraki WiFi

GuillermoLazo
Comes here often

Office 365 authentication on Meraki WiFi

Hello people.

 

I am a student of the University of Guayaquil, Ecuador.

I am proposing to carry out a project so that the students of my university can authenticate through the office 365 using Meraki Wifi.

 

Is it possible to integrate Meraki Wifi with Office 365 (Azure AD)?

 

If this is not possible, is it possible to virtualize a Radius Server that integrates with Azure AD and in turn integrate Meraki Wifi with my virtualized Radius Server?

 

Beforehand thank you very much.

12 REPLIES 12
Kamome
Building a reputation

Meraki doesn't support authentication with Azure AD directly for now.
But you can use intermediate NPS server which joined to Azure AD.

It seems your university uses MS Azure, so I think that create Windows server that runs NPS service as VM will do the trick.
PhilipDAth
Kind of a big deal
Kind of a big deal

I don't think it is a great solution but you could look at JumpCloud as well.

https://jumpcloud.com/blog/radius-authentication-microsoft-office-365/ 

@PhilipDAth - thanks for mentioning us. @GuillermoLazo, As Philip indicates, JumpCloud can act as the cloud-based RADIUS service to connect/bind your Office 365 (or Google) accounts to WiFi and VPN equipment, like Cisco Meraki WAPs and switches. We service a number of organizations who have this similar use case and we'd be happy to work with you to see if we can help.


I think it's a good solution, but is there a free temporary license to be able to take a proof of concept?

JumpCloud offers your first 10 users/machines free access, forever - https://console.jumpcloud.com/signup
Nash
Kind of a big deal

I would start with trying Windows' NPS as well. If you can get an NPS server to talk with Azure AD, then it should be relatively simple to setup 802.11x. Meraki has good instructions.

 

Make sure you get a certificate with a reasonable life span. We have had "mysterious" wifi authentication problems that boiled down to expired certificates on our NPS servers. 🙂

T1
Building a reputation

It is possible via different options. Go for NPS or Tekradius on Windows platform if you are familiar with it or even Freeradius on Linux. We've been running Tekradius on Windows Server and Freeradius on CentOS for the last 3 years or so without any problems whatsoever.
GuillermoLazo
Comes here often


It seems like a good solution. Is there any video tutorial of the integration? Or would I only need the public ip of the office 365 of my university to be able to perform the integration?
T1
Building a reputation

I'm afraid we don't have any setup documentation left, even if we did it would be outdated by now.

Look at O365 licensing first. If you University is licensed for Azure AD Premium or Azure AD Basic + MFA than by all means go for NPS option: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension That comes with MFA capabilities as well.

If University has Azure AD Basic license only (like we do), then you need to be more creative. Tekradius + Windows Server is arguably the easiest way to do it. Note that Tekradius is not free. Freeradius on Linux is not beginner friendly, if you haven't touched Linux before, don't bother.

Regardless of the choice you will need to spin up a few VMs is Azure. I haven't touched NPS options myself, but if memory serves TekRadius and FreeRadius couldn't handle more than 30 auth requests per second, so depending on your user base you may want to budget for this accordingly. With our 1000+ users and 30 days WiFi auth validity we make do with two VMs which costs us about $50 a month.

TekRADIUS has a free operation mode and can handle 200+ authentication requests per second with proper hardware configuration.

TwanvanBalen
Conversationalist

Hi,

 

The only way to join a NPS server to the Azure AD is through AADS (Azure AD Domain Services)

Because this is a managed AD there are some limitations.

 

- You cannot register the NPS server in the AD, this only breaks the integration with the dial-in properties tab of the user. So you can ignore this one.

- Single sign-on will not work from on-premise domain joined devices, i tried to fix it with re-write rules in the NPS because the Azure AD will use the UPN and the on-prem netbiosdomainname\u.name. This also didn't work.

 

https://cloudinfrastructureservices.co.uk/how-to-setup-radius-server-2016-in-azure-for-wireless-auth...

 

@PhilipDAth suggested JumpCloud, maybe that worth to look at. But it replaces your Azure AD

Just a little clarification... JumpCloud doesn't "replace" Azure AD as that is the substrate for Office 365 (and Azure user management). What we do is integrate with Azure AD so that you can provision / manage Azure AD identities, but also use that same identity for Merkai WiFi, systems, applications, etc.
 
You can always try the platform for free or just drop us a note and we are happy to run through a demo and/or answer any questions. You can reach us at support@jumpcloud.com.
 
Happy Holidays! 
 
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels