Wireless user authentication for mobile device using Radius Authentication

IT5
New here

Wireless user authentication for mobile device using Radius Authentication

Hi Guys,

We have been done setup Radius authentication for the wireless users. Here windows users are easily connected using radius authentication with domain users but what is the scope for the Mobile devices? As we know that username with the domain is not working with the phones like window machines. Any scopes or suggestions?

 

Your prompt response will be highly appreciated

 

Many Thanks.

11 REPLIES 11
KarstenI
Kind of a big deal
Kind of a big deal

Also with non-domain-members like phones you can authenticate against AD. But for phones EAP-TLS is the better solution. Just imagine you change your password on your PC and the phone (with the saved old password) tries to reconnect several times.

Hi Karstenl,

 

Did you mean that using Radius MAC-based authentication for mobile devices?

 

Many Thanks.

KarstenI
Kind of a big deal
Kind of a big deal

No, EAP-TLS uses certificates. MAC based authentication should not be used for corporate access as MAC addresses can easily be spoofed.

Also think about using Sentry with the Meraki MDM. By enrolling the device in MDM it can automatically get a certificate to connect to a secure SSID.

Yeah true but MDM has required additional license from the Meraki support.

 

 

KarstenI
Kind of a big deal
Kind of a big deal

Yes, it's a paid license. But IMO worth it at least for company owned mobile devices.

Thanks but we can achieve this without MDM too right? I think using Radius EAP-TLS we can get this done.

 

 

KarstenI
Kind of a big deal
Kind of a big deal

Yes, you just have to compare the cost of the license with the effort you have to make in building and operating your own CA. If the CA is only for WLAN, I assume that Meraki SM could be less pricy.

If you are a friend of RedHat/CentOS/Fedora-Linux, then dogtag-CA could be a solution. For Windows Server there is a build in CA.

OK Thanks for that.

PhilipDAth
Kind of a big deal
Kind of a big deal

Mobile devices should be able to authenticate using an AD username/password (PEAP-MSCHAPv2).  I have done this a million times.

Agree with @PhilipDAth this can be done. I setup a test bench server & client doing this very thing a few weeks again. 

Of course PEAP can be used...and will work for a specific amount of time. But please note that @KarstenI made a very valid point: "Just imagine you change your password on your PC and the phone (with the saved old password) tries to reconnect several times". It's definitely error prone, as seen with more than one client of ours.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels