Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

LDAP vs PSK

Solved
nw-netadmin
Conversationalist
2 weeks ago
2 weeks ago

LDAP vs PSK

I am setting up a new wifi ssid. This will be for our office computers. I only want company owned,  domain joined computers to be on this wifi. I don't have budget for ISE or anything like that. I need it to be reliable, but not complicated. I would be fine with saying that anyone with domain credentials should be able to get on this wifi.

 

I am trying to decide what authentication scheme I want to use. I have it narrowed down to LDAP or pre-shared key.

 

I like LDAP because it seems to be more scalable / manageable to use domain credentials. That way, everything is per-user. And, if they user is disabled, then those devices can't get on the wifi. And, I worry about the preshared key being given out.

 

On the other hand, I could do a preshared key and publish it through group policy.The users wouldn't have to know the key.

 

And, this might be the deal breaker... I want to use Wifi6 and Wifi6 requires WPA3 and it looks like I can't use LDAP and WPA3.

 

Anyway, is there something that I missing? Is there future support for WPA3 under LDAP?

 

Also, is there another protocol that talks straight to active directory other than LDAP? I thought there was, but I don't see it in the options.

 

Thanks everyone

Labels:
0 Kudos
Subscribe
1 Accepted Solution
Brash
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

@KarstenI is bang on.

To meet your requirements of domain joined computers and user auth, a RADIUS server is the way to go.

Microsoft NPS is free and works well enough but it's a bit like diving back into the early 2000's with regard to usability. You may have to spend a little bit to invest in a log viewer/interpreter to actually troubleshoot auth failures (Eg. IAS Log Viewer).
That said, it's so widely used that there's heaps of online resources.

View solution in original post

Subscribe
3 Replies 3
KarstenI
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

You could use 802.1X with the Microsoft NPS as a RADIUS server. This comes at no monetary cost but is also not very usable. There are open-source RADIUS servers like FreeRadiusthat could be used or PacketFence.

But you will not reach your initial goal that only domain joined PCs can join the network. Every user with an account can join from any device he wants.

Subscribe
Brash
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

@KarstenI is bang on.

To meet your requirements of domain joined computers and user auth, a RADIUS server is the way to go.

Microsoft NPS is free and works well enough but it's a bit like diving back into the early 2000's with regard to usability. You may have to spend a little bit to invest in a log viewer/interpreter to actually troubleshoot auth failures (Eg. IAS Log Viewer).
That said, it's so widely used that there's heaps of online resources.

Subscribe
alemabrahao
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

Take a look at the post that I made.

 

https://community.meraki.com/t5/Wireless/FreeRadius-Integration-with-OpenLDAP-and-Dynamic-Vlan-Assig...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.