I have a network consisting of a few sites connected through VPN (Hub/Spoke) with several access points and I want to provide certificate based authentication for a specific SSID through the NPS server.
Having to configure several IPs as a source on the NPS server is quite time consuming, enabling the Meraki's RADIUS proxy and exposing the server to the internet is definitely not the best option and using a Wireless Concentrator and driving all of the wireless traffic to a single point would result in a non-optimal bandwidth utilization.
Is there any way, or any plans to implement a way of using a single source for all those RADIUS requests? The ability of configuring one of the MX devices as a RADIUS proxy would be a nice feature
Solved! Go to Solution.
If you are using an NPS server as a remote proxy for the additional SSID, then all those requests will come from one IP address - that of the remote NPS proxy server.
Did you know you can specify a prefix instead of an individual IP address in NPS? For example, you can use 192.168.0.0/16 to represent a huge number of access points - with a single client entry.
@PhilipDAth wrote:Did you know you can specify a prefix instead of an individual IP address in NPS? For example, you can use 192.168.0.0/16 to represent a huge number of access points - with a single client entry.
The certificate based authentication is tested and works, however I'd rather not go with a generic /16 definition as a source.
Furthermore, there is an additional SSID that authenticates in NPS servers that I don't manage and pass through firewalls that I also don't manage (merged companies). From a security compliance perspective, there's no way that a /16 definition would be accepted.
If you are using an NPS server as a remote proxy for the additional SSID, then all those requests will come from one IP address - that of the remote NPS proxy server.
Also did you know if you use Systems Manager you can have it deploy a certificate automatically on each machine, for certificate based authentication, and you don't even need NPS? Considering how cheap Systems Manager is - this is quite a good option. WiFi authentication is no longer dependent on any of your infrastructure.