Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Client Authentication using MAC and AD account

Solved
ajiang
New here
a week ago
a week ago

Client Authentication using MAC and AD account

I want to control user devices through their MAC address and AD account when accessing the wireless network. That means, to access the wireless network, the device must have its MAC address registered beforehand and log in with the correct AD account. How can I implement this on a Meraki MR device?

0 Kudos
Subscribe
1 Accepted Solution
Purroy
Meraki Employee
Meraki Employee
a week ago
a week ago

This is really a function of the Radius server that you are using.  If the radius server is able to take into account both factors (MAC + AD account) when deciding to provide or deny access then yes.

 

Windows built-in radius server (NPS) is not able to do that.  This can be performed with more advanced radius servers, such as Cisco ISE or others.


If what you are trying to achieve is that employees login onto wireless (AD auth) only with their corporate issued PCs then I would suggest to use Machine Authentication rather than username/password.  With Machine Authentication the Radius server verifies with AD if that machine belongs to the domain.  Then the user will be validated when they login into the machine.  Assuming that this is a Windows environment.

View solution in original post

Subscribe
3 Replies 3
Purroy
Meraki Employee
Meraki Employee
a week ago
a week ago

This is really a function of the Radius server that you are using.  If the radius server is able to take into account both factors (MAC + AD account) when deciding to provide or deny access then yes.

 

Windows built-in radius server (NPS) is not able to do that.  This can be performed with more advanced radius servers, such as Cisco ISE or others.


If what you are trying to achieve is that employees login onto wireless (AD auth) only with their corporate issued PCs then I would suggest to use Machine Authentication rather than username/password.  With Machine Authentication the Radius server verifies with AD if that machine belongs to the domain.  Then the user will be validated when they login into the machine.  Assuming that this is a Windows environment.

Subscribe
ajiang
New here
a week ago
a week ago

Thank you, Purroy.

0 Kudos
Subscribe
PhilipDAth
Kind of a big deal
Kind of a big deal
a week ago
a week ago

Because Meraki group policies are applied based on Mac address, you could set the default Wireless Firewall rule to deny everything, and then create a group policy called something like "Approved", which overrides the firewall rule and allows access, and apply it to every machine that is approved to access the network.

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.