Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Possible to user authenticate and machine authenticate at the same time?

MIFA
Here to help
‎Dec 9 2020 7:53 AM
‎Dec 9 2020 7:53 AM

Possible to user authenticate and machine authenticate at the same time?

Hi

 

I would like to use 802.1x and a NPS server to authenticate users on my wireless network, but I also would like to machine authenticate as well. User and machine are domain joined, but may run into machines that are not domain joined.
So user password should be validated on the domain server via NPS, and I will also make sure the machine is the correct one via a certificate. 

All the how to guides are using User Auth or Machine Auth, not both. Have I misunderstood something?

Regards
Michael


0 Kudos
Subscribe
4 Replies 4
DarrenOC
Kind of a big deal
Kind of a big deal
‎Dec 9 2020 12:08 PM
‎Dec 9 2020 12:08 PM

Hi @MIFA , you should be able to do both.  Below is helpful 

 

https://www.google.co.uk/amp/s/shabiryusuf.wordpress.com/2012/12/24/meraki-network-policy-server-nps...

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
Subscribe
In response to DarrenOC
MIFA
Here to help
‎Dec 15 2020 3:10 AM
‎Dec 15 2020 3:10 AM

Hi @DarrenOC 

Thanks for the link, however I think it's only for filling one of the purposes. User authentication, not machine authentication, or am I wrong?

Br
Michael

0 Kudos
Subscribe
In response to MIFA
Bruce
Kind of a big deal
‎Dec 15 2020 3:36 AM
‎Dec 15 2020 3:36 AM

You’re correct, what @DarrenOC provided is for authenticating a user with username and password for a user. You can use the same approach to authenticate a machine with the machine username and password (assuming it’s domain jointed) by checking against the Domain Computers group rather than the Domain Users. You’ll also need to change the Windows supplicant to use the Computer credentials rather than the User credentials.

 

If you want to use a certificate then the approach is similar, you just need to change the authentication method to Certificate or Smart Card. This Meraki document provides the details here,https://documentation.meraki.com/MR/Encryption_and_Authentication/Creating_a_Policy_in_NPS_to_suppor...

Subscribe
Bruce
Kind of a big deal
‎Dec 9 2020 12:09 PM
‎Dec 9 2020 12:09 PM

To do authentication based on two credentials passed using EAP you need EAP chaining, and to support EAP chaining you need both a supplicant (on the client) and authentication infrastructure that supports it (generally the RADIUS server). Although Windows 10 can now do EAP chaining through support of EAP-TEAP, Microsoft NPS doesn’t support it so far as I’m aware, so you only have half the solution.

 

You could get it to work if you use a different RADIUS server that supports TEAP - Cisco ISE is one example, not sure if there are any more at the moment. (TEAP is the ‘standardised’ version of Cisco’s EAP-FAST which has been able to do EAP chaining for sometime with the Cisco AnyConnect client).

Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.