Hello,

from what i've seen in that document, it's talking of Radius / Active Directory authentication, not Azure Active Directory. Those two are not the same. The last one (the one I need) is using OAuth protocol and can been seen as a third party authentication authority (like google).

regards,

jo

You need to deploy a RADIUS server in Azure to make it work.

Sounds like a great idea.  

I was looking at perhaps a landing page, that redirects has a nice splash page, asks for email, then redirects your to Azure SSO for authorization.  I found theses examples:

https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-authentication-scen...

https://azure.microsoft.com/en-us/resources/samples/active-directory-dotnet-webapp-roleclaims/

https://github.com/Azure-Samples/active-directory-dotnet-webapp-groupclaims

Has anyone else done this?

Palo Alto has a marketplace app that integrates into Azure.  Meraki this would be an awesome addition,

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-saas-paloaltonetworks-capti...

Actually, I can easily retrieve the userID of the connected user from my splash page using microsoft graph (https://developer.microsoft.com/en-us/graph/graph-explorer ), it's not the real problem.

The problem is providing this information to Meraki so it can be associated with the connected client.

Using "authenticated user splash page" is not an option since merakai will wait for a Radius command to Refuse or Accept the authentication. In my case I don't have a radius so I don't have any way to provide Meraki with a userID for them to store it.

I think for this to work, Meraki needs to support natively the OAuth with Azure AD (as they are already doing with google).

We've developed a click-thru webapp that uses graph API to seamlessly login the user (SSO to O365), authorize to the meraki, and then redirect the user to their original page.  

By setting the duration of the authorization in the Meraki dashboard you can have it re-authorize every 90 days for example or revoke the authorization manually.

If there is enough interest, we'll polish the solution up and provide it as either source code or a possible service if there is enough interest. Let me know. Thanks!

-Ingram

Hello,

It sounds very interesting... I would indeed be very interested by the source code.

By hosting this page on the Meraki servers, are you able to pass the connected users information to Meraki for log purpose?

Regards,

Johan

>are you able to pass the connected users information to Meraki for log purpose?

We have the all the user information that is the O365 profile available to pass to Meraki, but the Meraki EXCAP API doesn't have a mechanism to input it.    

It does register the login as it would on Ethernet with the computer's machine name.

I'm in a cloud only environment project and very interested about your solution. Woud you share your solution?

Thanks

-teemu

Hi, would you bewilling to show us the code on how you did this ?

We are looking for a solution to use 365/AzureAD to authenticate our users for access to the wifi without someting like RADIUS.

It would be greatly apreciated,

Regards Mark

Hello,

I unfortunately don't have code for you … But  I can explain the steps. The principle is the following: Create a "click-through splash page that is stored on Microsoft Azure web app and that is protected by an authentication access..

The steps are:

- Access Control,

* in your SSID, you need to a "click through" splash page.

* In the wallet garden, you need to define all Microsoft (O365) connection links.

- in the splash page section,

* You need to define a "Custom splash URL" that correspond to your Microsoft Azure web app hosting your splash page.

I hope this is clear. Let me know if it's not.

* In the wallet garden, you need to define all Microsoft (O365) connection links.

This is where we are stuck. In order to push the user to Azure AD to sign-in, the walled garden needs to allow requests to the Azure IDP. These are seemingly random IP addresses that are GEO distributed. Is there a way to whitelist by domain name to Azure AD's IDP? This would simplify having to keep tabs on the ever-changing IP address list from Azure.

..

Unstuck! It appears that under the walled garden ranges, it also supports domains, and wildcards. This should allow us to proceed with creating an application that challenges the user but allows access to the Azure IDP. Thanks for the outline above! Helpful!

I realize this post is a bit old now but - would you (or anybody that has this working) be able to share what domains you put in your "Walled Garden" to get Azure AD Sign On working?  We're implementing a SM Sentry SSID that we want to use Azure AD sign-on to enroll our user's devices, and we get to the point in the enrollment process where the Meraki page says "Login with Azure AD" but when we click that and we're redirected to the URI's we setup in our Azure AD integration, we just get a white screen.  Right now my walled garden is permitting:

*.microsoft.com

*.microsoftonline.com

*.live.com

If I connect to another network (or if I put a wildcard permit all in the walled garden) it works fine, but locking it down to these 3 above doesn't seem to work so I am missing *something* here.

Disregard.  After playing around with this and using Chrome Developer tools I was able to determine that the following domains need to be whitelisted in our Walled Garden config for the SSID in order to permit enrollment authentication using Azure AD:

*.msauth.net
*.msftauth.net
*.microsoftazuread-sso.com
*.microsoftonline.com
*.login.microsoftonline.com
*.microsoft.com

We want to do the same. Would you be willing to share your source code?

is there a more detailed explanation of this solution?  would love to get this working