We have a couple of MR42's and I want to see if this scenario can be archived using RADIUS. Here are the requirements:
If it is not doable with RADIUS, any alternative?
Is the Meraki System Manager an option?
You can use Radius Mac filtering, but in my opinion, it's not a good option because you need to change your password policy, to an option with less security.
This is possible, although it just became more complicated with Windows 11 22H2 when Microsoft (but surprise) disabled one of the most used protocols for doing it.
You'll need to use the Microsoft Certificate server (built into Windows), and deploy a certificate onto every device (for Windows machines you can do this via group policy automatically).
You'll use WPA2-Enterprise mode on the WiFi side, and I would use EAP-TLS as the authentication protocol. You'll use Network Policy Server (NPS) on Windows to achieve this.
Meraki had a guide for doing this using the much simpler MSCHAPv2. If you don't have Windows 11 machines in your environment, you can start with using this approach, and then add on certificates at a later point in time.
Otherwise - if you haven't done this before don't have certificate services already deployed - get someone in to help you. It is massively more complicated now.
The already suggested EAP-TLS is sadly not enough to solve this as the machine- and user authentication is decoupled. There are some workarounds but the only real way is to use TEAP (or the previous version EAP-FAST) as the EAP method because here we can do EAP-Chaining which couples the user-authentication to the already done machine-authentication.
Not sure if NPS supports it. This is for Cisco ISE, perhaps you can adopt it:
I think EAP-TLS will be sufficient if he relaxes the conditions slightly and just does machine-based certificate authentication.
He can then at least verify that only authorised machines are attached to the network.
In this case he only knows this for his own machines. But unless *all* devices support EAP-TLS (I haven't seen this on any network) he can't make sure that the user connects with domain-credentials from his personal PC.
But I am completely with you that relaxing the requirements is the right way. Really achieving *this* goal is one of the hardest in the .1X implementation.