Meraki

Community

Client Authentication using MAC and AD account

Solved
ajiang
New here
‎Jul 21 2024 2:30 AM
‎Jul 21 2024 2:30 AM

Client Authentication using MAC and AD account

I want to control user devices through their MAC address and AD account when accessing the wireless network. That means, to access the wireless network, the device must have its MAC address registered beforehand and log in with the correct AD account. How can I implement this on a Meraki MR device?

0 Kudos
1 Accepted Solution
Purroy
Meraki Employee
Meraki Employee
‎Jul 21 2024 2:40 AM
‎Jul 21 2024 2:40 AM

This is really a function of the Radius server that you are using.  If the radius server is able to take into account both factors (MAC + AD account) when deciding to provide or deny access then yes.

 

Windows built-in radius server (NPS) is not able to do that.  This can be performed with more advanced radius servers, such as Cisco ISE or others.


If what you are trying to achieve is that employees login onto wireless (AD auth) only with their corporate issued PCs then I would suggest to use Machine Authentication rather than username/password.  With Machine Authentication the Radius server verifies with AD if that machine belongs to the domain.  Then the user will be validated when they login into the machine.  Assuming that this is a Windows environment.

View solution in original post

3 Replies 3
Purroy
Meraki Employee
Meraki Employee
‎Jul 21 2024 2:40 AM
‎Jul 21 2024 2:40 AM

This is really a function of the Radius server that you are using.  If the radius server is able to take into account both factors (MAC + AD account) when deciding to provide or deny access then yes.

 

Windows built-in radius server (NPS) is not able to do that.  This can be performed with more advanced radius servers, such as Cisco ISE or others.


If what you are trying to achieve is that employees login onto wireless (AD auth) only with their corporate issued PCs then I would suggest to use Machine Authentication rather than username/password.  With Machine Authentication the Radius server verifies with AD if that machine belongs to the domain.  Then the user will be validated when they login into the machine.  Assuming that this is a Windows environment.

ajiang
New here
‎Jul 21 2024 8:12 AM
‎Jul 21 2024 8:12 AM

Thank you, Purroy.

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jul 21 2024 2:05 PM
‎Jul 21 2024 2:05 PM

Because Meraki group policies are applied based on Mac address, you could set the default Wireless Firewall rule to deny everything, and then create a group policy called something like "Approved", which overrides the firewall rule and allows access, and apply it to every machine that is approved to access the network.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.