Windows Radius vs Meraki Radius with Win 7, Win 10, macOS Machines

MattZ
Conversationalist

Windows Radius vs Meraki Radius with Win 7, Win 10, macOS Machines

Hello,

 

I've been scratching my head in trying to get a configuration set up that allows for the three types of machines above to co-exist on the same SSID.  We want to only explicitly allow company-owned machines access to the SSID, preventing BYOD machines from accessing the LAN.  We also don't necessarily want people to have to type in user credentials as the authorization method, because then there's nothing to stop someone from using their credentials on their personal laptop.

 

Here are a few of the iterations I've gone through:

 

WPA2-Enterprise with Windows NPS/Radius Server: Built a policy, per Meraki Docs, that checks for 'Domain Computers'.  This works just fine for Win7/10 machines, and I can deploy via GPO (i.e.: it does not prompt end-users for login credentials, which is what we want).  I can also deploy the 3rd party (GoDaddy) cert via GPO to the Win machines.  macOS Machines keep getting prompted to log in with username/password.  When I enter valid credentials, the next screen asks for the certificate to be used.  Via Meraki SM, I've deployed the same 3rd party certificate to these machines, and it is a choice in the drop-down menu (as is the Meraki SCEP certificate).  If I select the proper Radius certificate, the Mac keeps looping through asking for the certificate, and then finally erroring out.  If I select EAP-TLS as the mode initially, and then the proper cert, I fall into the same loop.  The MacBook is joined to the domain, so I would assume it would be included in the 'Domain Computers' group. 

 

WPA2-Enterprise with Meraki Authentication:  Used SM to only allow tagged machines onto the network, and deployed SM settings to deliver the SSID to the Macs.  That worked nicely.  However Win7 PCs could not join the network.  When I tried to join with a PC, the first error was a Windows Security Alert in that the radius.meraki.com certificate issuer 'AddTrust' was not configured as a valid trust anchor for the profile.  That's ok, because if I click 'Connect', it still goes to the next step.  The icon spins, and then finally errors out with a generic 'Windows could not connect to this network' error.  Win10 (Enterprise) machines also exhibit a similar behavior (just self-contained in the wifi/network panel that you click on when wanting to join a network).

 

I'm hoping to not have to resort to two different SSIDs to accomplish this, and am hoping that someone has had a similar challenge and can assist me in solving the problem.

 

Thanks!

5 Replies 5
MRCUR
Kind of a big deal

Your best bet is to go with the first option but use certificates to identify the clients. If you are using the "Domain Computers" option with user auth (as you have described), then on devices which are not aware of their domain credentials (Macs), you'd need to be connecting with the computer account username/password - which you don't know. 

 

If you deploy certs to all of your devices, including the Macs, you can use EAP-TLS against the Domain Computers group as the certs will be issued to the devices using the device name. No one will be prompted for credentials and BYOD won't work as you're verifying certs (which people are not issuing to themselves) and confirming they're in the Domain Computers group. Keep in mind that with this setup, you also have the flexibility of allowing user auth against the same SSID based on other security groups. This would allow you to support BYOD with your AD users, or even allow for Mac devices to join the SSID without being issued certificates (which cannot currently be automated with SM). 

 

Alternatively, you can use Sentry WiFi with Windows & Mac devices however Win 7 devices are not officially supported. Sentry WiFi should work correctly with Win 10 & Mac (and iOS if you have it). See here for the documentation to verify your setup: https://documentation.meraki.com/SM/Other_Topics/Certificate-based_WiFi_authentication_with_Systems_...

 

 

MRCUR | CMNO #12
MattZ
Conversationalist


@MRCUR wrote:

Your best bet is to go with the first option but use certificates to identify the clients. If you are using the "Domain Computers" option with user auth (as you have described), then on devices which are not aware of their domain credentials (Macs), you'd need to be connecting with the computer account username/password - which you don't know. 

 

 


Do you mean, instead of using my GoDaddy Radius cert, I should use something different?  I'm able to distribute that cert to all of the clients (Win & Mac) with no issue via GPO & MDM.  On the NPS server, my 'condition' is 'Domain Computers' and my 'constraint' EAP type is PEAP, with 'Smart Card or other Certificates' selected.  The GoDaddy Radius cert is the one selected in both areas.

MRCUR
Kind of a big deal

If you deploy a single cert to all machines, then all you are doing is verifying any client has that single certificate which is not unique to each client. You will still need the GD cert for the NPS server as the NPS server needs to present a cert to client devices for them to verify the NPS identity. Devices will not connect if they don't trust the cert that is presented from NPS by default as you've already seen. 

 

I am suggesting you deploy a CA and issue certificates to your devices. This way you can verify the device identity, you aren't using a shared cert on all of your devices and you can stick to a single SSID to support all of your clients. 

MRCUR | CMNO #12
PhilipDAth
Kind of a big deal
Kind of a big deal

Going a little sideways, have you considered using "Open" authentication with Systems Manager Sentry enrolment?

 

I think I like @MRCUR idea though.  Note that for Windows machines you can create a group policy to automatically issue the certificates (so there is nothing you need to do on each machine).  You would just need to enroll the Mac's manually.

 

Screenshot from 2018-05-05 08-49-17.png

MattZ
Conversationalist


@PhilipDAth wrote:

Going a little sideways, have you considered using "Open" authentication with Systems Manager Sentry enrolment?

 

I would very much not like to have an open/unencrypted network connected to the corporate LAN.

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels