Implementing a slash page auth with BYOD network - using Microsoft 2019 NPS

Solved
BadAssBassinD
Here to help

Implementing a slash page auth with BYOD network - using Microsoft 2019 NPS

I have begun to tackle the confusing effort of trying to implement a byod wireless network in the place of my employment.  

 

The problem is no one really knows the requirements or wants to decide what is exactly needed so I can only assume which just makes it more confusing.

My opinion of what is needed is to provide easy and secure access to the internet for all users. We have  3 different domains staff, students and an admin domain. Devices that will be used will include, iphones, androids, macs and pc’s.

 

We will eventually be using iboss to filter users according to domain credentials.

I have already set up an NPS server with the standard settings according to the meraki guide to implementing NPS.

I only created one policy, which is user based authentication – it would allow all three domains students, staff and admin access to gain internet access via the slash page as long as they have a valid user account.

When I test the connectivity in the Radius settings for slash page, using the servers external ip it states that the server can communicate with meraki cloud

 

We have school own devices on a different lan and each school owned devices automatically gets a cert once it is joined to the domain but I seem to be getting different results using the slash page and authenticating user groups vs machine auth.

 

My question is, I’ve seen so many ways to do this I’m not sure of the easiest but I think I have all the pieces just don’t know how to fit them together properly, can anyone help me find the correct but secure settings to use. I am using Microsoft a 2019  NPS Server and MR42 Meraki aps, I would like to authenticate three different domain user groups on an array of  devices all from a splash screen and put them on a natted meraki network (not on our internal lan)

Any help would be greatly appreciated.

1 Accepted Solution
BadAssBassinD
Here to help

Thank you for providing this insight, it's very definitely helpful, but I do have another question for you Philip.

 

Currently I am using wpa2-enterprise mode w radius for our district/school owned devices. That nps server has the same cert as our domain cert so each device trusts the NPS since is forced onto each machine when it joins the domain.

If I chose to employ this method for the BYOD users and not do splash page auth, what do you recommend for certs? Do we need to purchase one or can we use a *wildcard ? I'm a little unclear as to how to do this since you cant push certs to users devices. I guess you can give them a choice either  accept and associate or don't and then do not. Meraki states that they encrypt everything when the exchange of password etc is going to and from meraki to NPS server but is the cert even needed then if they are this secure ?  

I also found that for the Slash page I can set it to only make users Auth once a day or I can change the frequency. Personally I don't think this is a big deal or inconvenience because most of these users are students and they're classes last about an hour just my opinion on that. 

View solution in original post

6 Replies 6
PhilipDAth
Kind of a big deal
Kind of a big deal

I'd forget the splash page and use WPA2-Enterprise mode.  The instructions are here:

https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_RADIUS_Authentication_... 

 

If you really want to use a splash page then following these instructions:

https://documentation.meraki.com/zGeneral_Administration/Cross-Platform_Content/Configuring_RADIUS_A... 

BadAssBassinD
Here to help

Thank you PhilipDAth,

 

I think others would like to use the slash page it's not really my choice, but why wouldn't you recommend using that ? Also - We are using WPA2-Enterprise with radius for district owned devices and 802.1x. Once each machine joins the domain after it is imaged or via gp  users can connect b/c the cert is automatically installed on each device.

 

With slash page auth, which I think I have gotten to work correctly, NPS cannot push down a cert to devices such as an iPhone, a users mac, a users pc laptop, or an android phone, however after reading the article you mentioned it seems fairly secure using the splash with radius because information is sent and encrypted. 

 

How else would you suggest creating a BYOD network which needs to allow domain users to authenticate using their domain credentials ? This would strictly be for personal devices and we would not be placing them on our lan, only using meraki dhcp to keep them off our lan. Thank you. 

PhilipDAth
Kind of a big deal
Kind of a big deal

>but why wouldn't you recommend using that 

 

Because users will have to manually re-authenticate every-single-time the splash page authorization expires (so perhaps daily).  What a pain in the neck.  I wouldn't personally use it if it was me, because I wouldn't want to have to re-type my credentials into the splash page every single day.

 

The other issue has been created by Apple with mac address randomisation and iOS14.  The plash page authorisation is based on your mac address.  Apple users will not get a new mac address each time they attach.  So if you authenticate in the morning and go out of coverage (perhaps you go to the toilet, outside to pick something up, etc) every-single-time you come back into range of the network you will have to manually re-authenticate.  Horrible user experience - but we have Apple to thank for that one.  Thanks Apple - great user experience.

PhilipDAth
Kind of a big deal
Kind of a big deal

>How else would you suggest creating a BYOD network which needs to allow domain users to authenticate using their domain credentials ?

 

Using WPA2-Enterprise mode.

BadAssBassinD
Here to help

Thank you for providing this insight, it's very definitely helpful, but I do have another question for you Philip.

 

Currently I am using wpa2-enterprise mode w radius for our district/school owned devices. That nps server has the same cert as our domain cert so each device trusts the NPS since is forced onto each machine when it joins the domain.

If I chose to employ this method for the BYOD users and not do splash page auth, what do you recommend for certs? Do we need to purchase one or can we use a *wildcard ? I'm a little unclear as to how to do this since you cant push certs to users devices. I guess you can give them a choice either  accept and associate or don't and then do not. Meraki states that they encrypt everything when the exchange of password etc is going to and from meraki to NPS server but is the cert even needed then if they are this secure ?  

I also found that for the Slash page I can set it to only make users Auth once a day or I can change the frequency. Personally I don't think this is a big deal or inconvenience because most of these users are students and they're classes last about an hour just my opinion on that. 

PhilipDAth
Kind of a big deal
Kind of a big deal

>If I chose to employ this method for the BYOD users and not do splash page auth, what do you recommend for certs?

 

Any public cert will work.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels