Meraki

Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

RADIUS - Can authenticate by user, but not by computer

ElectroDan
Getting noticed
‎Jan 29 2020 2:14 AM
‎Jan 29 2020 2:14 AM

RADIUS - Can authenticate by user, but not by computer

Last year, after much troubleshooting, I managed to get RADIUS authentication working for my AD users (although the first time they connect they have to enter their AD username and password as ticking the 'Use my Windows credentials' checkbox does not work).

 

Anyway, I'd like switch to computer account authentication, so users aren't prompted to re-authenticate against the WiFi when their AD password changes. However, when I switch to this, users (all on Windows 10) are unable to connect.

 

This is what is shown in the NPS logs:

 

Network Policy Server denied access to a user.

 

Contact the Network Policy Server administrator for more information.

 

User:

Security ID: OURDOMAIN\Daniel
Account Name: Daniel
Account Domain: OURDOMAIN
Fully Qualified Account Name: OURDOMAIN\Daniel

 

Client Machine:

Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
Called Station Identifier: 9A-15-54-AB-56-2D:ES_Radius_Test
Calling Station Identifier: B8-08-CF-3E-20-26

 

It looks as if the machine name isn't being passed to the RADIUS server (Windows Server 2016). Is this a bug?

 

To confirm, this is the Network Policy config that works and allows users to connect with the AD credentials:

 

This config works.This config works.

 

But if I change from User Groups to Machine Groups, users can't connect:

 

This config doesn't work.This config doesn't work.

0 Kudos
4 Replies 4
redsector
Head in the Cloud
‎Jan 29 2020 2:19 AM
‎Jan 29 2020 2:19 AM

We needed to install a certificate on the clients for "PEAP". It´s installed at the windows network configuration. We are working with an Cisco ISE as radius-server.

0 Kudos
In response to redsector
ElectroDan
Getting noticed
‎Jan 29 2020 2:28 AM
‎Jan 29 2020 2:28 AM

Thanks, did you reference a guide you can post the link to?

0 Kudos
In response to ElectroDan
redsector
Head in the Cloud
‎Jan 29 2020 3:13 AM
‎Jan 29 2020 3:13 AM

the manual is in german, sorry.

 

How to set up the Windows (Win 7) network connection for Radius PEAP connection with certificate.

Unknown-2.jpeg

0 Kudos
In response to redsector
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jan 29 2020 10:49 AM
‎Jan 29 2020 10:49 AM

You should be using group policy.

 

The group policy needs to configure the SSID to use machine authentication (otherwise it will use user authentication).  The group policy can also be used to distribute the certificate.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.