Meraki

Community

Design or implementation Wireless Auth WPA2 enterprise with EntraID / Office365 user accounts

pematthe
Here to help
‎Jul 12 2024 1:50 AM
‎Jul 12 2024 1:50 AM

Design or implementation Wireless Auth WPA2 enterprise with EntraID / Office365 user accounts

I am looking for a recent design guide or implementation info to convert our WPA-PSK wireless to WPA-Enterprise.  Documentation I have seen says an intermediate RADIUS server is required, has this not changed yet?  

 

We have given out our PSK so many times we may have posted it on Facebook.  Adding more control and linking to userID on Office365 is the objective.  We are completely cloud based so do not have the infra or facilities to host a RADIUS server.  

 

What are the options?  

We can do SSO for Meraki dashboard login, what are the options for WPA2-Ent for the wireless connections?  Our source of truth for user accounts is EntraID.  I would like to link to that. 

 

Ideas?

Labels:
0 Kudos
9 Replies 9
alemabrahao
Kind of a big deal
‎Jul 12 2024 2:52 AM
‎Jul 12 2024 2:52 AM

Yes, you still need an intermediate server, but you don't need to install this server on your on-prem infrastructure, you can simply create a new machine in your cloud environment (AWS, Azure, etc.).

Other than that, you can use Meraki's own base for authentication and/or authentication with iPSK without radius.

 

Configuring WPA2-Enterprise with Meraki Authentication - Cisco Meraki Documentation

Enabling WPA2-Enterprise in Windows - Cisco Meraki Documentation

 

https://documentation.meraki.com/MR/Encryption_and_Authentication/IPSK_Authentication_without_RADIUS

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
pematthe
Here to help
‎Jul 12 2024 4:29 AM
‎Jul 12 2024 4:29 AM

I have found that there are public RADIUS services (https://idblender.com/pricing) which can backend to O365.  So that might be an option.

 

We don't have AWS / Azure facilities as we are a non-technical events company - So that option is out.

 

Using Meraki auth might be OK, if we could import or sync the user accounts from O365.  The point is password and user tied to a single source of truth.  If they leave, we only have to switch off one thing.

 

It seems Meraki are soooo close but just missing the last piece.

0 Kudos
In response to pematthe
alemabrahao
Kind of a big deal
‎Jul 12 2024 4:52 AM
‎Jul 12 2024 4:52 AM

In this case, a third-party Radius solution that integrates with O365 is the best option considering that you cannot import these user accounts into Meraki.

 

https://jumpcloud.com/blog/radius-authentication-microsoft-office-365

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
alemabrahao
Kind of a big deal
‎Jul 12 2024 4:54 AM
‎Jul 12 2024 4:54 AM

In this case, a third-party Radius solution that integrates with O365 is the best option considering that you cannot import these user accounts into Meraki.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
rhbirkelund
Kind of a big deal
Kind of a big deal
‎Jul 12 2024 4:02 AM
‎Jul 12 2024 4:02 AM

A while back, there was an article abount integrating Meraki Wireless with Azure Cloud PKI, using Cloud Authentication on the SSID.

I haven't tried it myself, but try taking a look at

https://community.meraki.com/t5/Wireless/Azure-Cloud-PKI-is-now-released-how-do-we-hook-Meraki-AP-to...

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
In response to rhbirkelund
pematthe
Here to help
‎Jul 12 2024 4:25 AM
‎Jul 12 2024 4:25 AM

Interesting idea and seems to fit most scenarios.  One issue for me is we don't use / license Intune.  We are also a Apple client house.  All the references are for WIN clients so not sure how this would apply for MacOS and iOS.  

 

Maybe I will test it and see what happens.

 

Thanks for the guidance

0 Kudos
In response to pematthe
rhbirkelund
Kind of a big deal
Kind of a big deal
‎Jul 12 2024 4:58 AM
‎Jul 12 2024 4:58 AM

Without holding me against it, I don't neccesarily think this only applies to Intune/EntraID.

 

Perhaps it would be possible to do something along the lines similar to what's being done on Entra Cloud PKI. From what I can read, essentially you need to have the Meraki RootCA in your CA chain, and ensure this is present in the certificate chain.

 

But like I said, don't hold it against me.

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jul 12 2024 5:09 AM
‎Jul 12 2024 5:09 AM

You could also look at using Trusted Access (additional licence needed).  It deploys certificates onto devices and uses that to authenticate.

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Trusted_Access_for_Se...

 

In response to PhilipDAth
pematthe
Here to help
‎Jul 16 2024 12:14 AM
‎Jul 16 2024 12:14 AM

802.1x gives me two options - certs or userID. 

 

I was thinking that UserID might be simpler as the onus is on the user to log in and uses a single source - Office365/EntraID.  Certs has a complicated, additional management overhead to distribute and revoke.  I will take a look as the project progresses.

 

Thanks for the advice.

0 Kudos
li.common.scroll-to.top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.