iOS and WPA2 with Radius Authentication

SOLVED
Son
Here to help

iOS and WPA2 with Radius Authentication

Hi All,

 

We are about to deploy our Meraki wireless solution in our business and out of the blue a new requirement has come up which we were not told about before!

 

We have a requirement to allow some corporate owned iOS devices (iPads and iPhones) to be accessible on the corporate network, however, we are using Microsoft NPS server with PEAP authentication and a certificate from a trusted CA and allowing Domain Computers to be authorised onto the SSID. Obviously iPads and iPhones cannot be a Domain Computer so how is it best to utilise the NPS server and create a new policy to seamlessly allow these devices onto the network but restricting them by device not user. I guess some sort of MAC authentication would be best here. 

 

We want to use these tools only at the moment not purchase anything else such as Cisco ISE as an NAC.

 

If someone could help and provide any documentation that would be great!

 

Thanks

 

Sonny

1 ACCEPTED SOLUTION
JohnT
Getting noticed

You have to add the user to the authentication group instead of the computer which will give the user access to the corporate WiFi.  If you also want to lock it down to a single device you need to enter the Mac Address in the "Verify Caller-Id:" field on the Dial-In tab in Active Directory.  If the user has more than one IOS device you will need to use regular expressions like A1B2C3D4E5F6 | A2B3C4D5E6F7.

 

2019-08-15 09_51_39-Window.png

View solution in original post

10 REPLIES 10
JohnT
Getting noticed

You have to add the user to the authentication group instead of the computer which will give the user access to the corporate WiFi.  If you also want to lock it down to a single device you need to enter the Mac Address in the "Verify Caller-Id:" field on the Dial-In tab in Active Directory.  If the user has more than one IOS device you will need to use regular expressions like A1B2C3D4E5F6 | A2B3C4D5E6F7.

 

2019-08-15 09_51_39-Window.png

jdsilva
Kind of a big deal

You should be able to install a cert from your CA via your MDM for corp owned IOS devices so they can authenticate to the WiFi the same way a domain machine would. 

 

Son
Here to help

Hi John,

 

Thanks for this, so are we supposed to add the hyphens in as your screenshot denotes or should we just enter the characters only? See below a copy of our NPS policy, I had to create a new one to match the same SSID but this time with an AD user group which has the permitted user in who requires access with an iOS device and I have added the MAC address in the Verify Caller-ID for that user who i've asked to test. So all being well this will implement user / MAC authentication into one? Let me know if you spot anything incorrect with this?  Thanks!

 

Example.GIF

JohnT
Getting noticed

HI Sonny, that looks correct.  I usually test with the user first and no MAC address to limit the breaking points.  Once the user auth works, I add the MAC address.  I believe you need the hyphens.

 

-John

Son
Here to help

Massive thanks John this is working as expected.

 

Now got to figure out why the traffic is not being routed as expected for these devices! Hopefully it is not anything to do with the Radius policy but doubt it, will review that and raise another case if necessary!

 

Thank you

PhilipDAth
Kind of a big deal
Kind of a big deal

If you have permission, export the certificate from the computer (including the private key) and then import it onto your iOS device.

The problem is that when you use NPS it authenticates the computer account in a security group.  I don't know of a way to add an IOS device to the domain even with a certificate.  Unless I'm missing something here. 

SantiagoGarces
Conversationalist

on the SSID enable group policies and select whitelist to allow iPhones, Mac, IPad or whichever you want

SLR
Building a reputation

we are doing something similar and access via wifi on phone/handheld devices crossed my mind as well because I have all domain computers/users to be able to connect to the wifi
we are doing radius athentication - does the accepted solution apply to our use case scenario as well?

we will have guest wifi ssid I am assuming that would be WPA2-PSK with a supplied password. I guess all phones/handhelds can connect that way instead.
JohnT
Getting noticed

@SLR If you are connecting with WPA-PSK this does not apply.  This is only relevant if you want to add your phone/handheld devices to the corporate wifi that uses Radius with domain authentication.  Hope this helps.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels