Meraki

Community

LDAP vs PSK

Solved
nw-netadmin
Conversationalist
‎Jun 13 2024 3:30 PM
‎Jun 13 2024 3:30 PM

LDAP vs PSK

I am setting up a new wifi ssid. This will be for our office computers. I only want company owned,  domain joined computers to be on this wifi. I don't have budget for ISE or anything like that. I need it to be reliable, but not complicated. I would be fine with saying that anyone with domain credentials should be able to get on this wifi.

 

I am trying to decide what authentication scheme I want to use. I have it narrowed down to LDAP or pre-shared key.

 

I like LDAP because it seems to be more scalable / manageable to use domain credentials. That way, everything is per-user. And, if they user is disabled, then those devices can't get on the wifi. And, I worry about the preshared key being given out.

 

On the other hand, I could do a preshared key and publish it through group policy.The users wouldn't have to know the key.

 

And, this might be the deal breaker... I want to use Wifi6 and Wifi6 requires WPA3 and it looks like I can't use LDAP and WPA3.

 

Anyway, is there something that I missing? Is there future support for WPA3 under LDAP?

 

Also, is there another protocol that talks straight to active directory other than LDAP? I thought there was, but I don't see it in the options.

 

Thanks everyone

Labels:
0 Kudos
1 Accepted Solution
Brash
Kind of a big deal
Kind of a big deal
‎Jun 13 2024 5:27 PM
‎Jun 13 2024 5:27 PM

@KarstenI is bang on.

To meet your requirements of domain joined computers and user auth, a RADIUS server is the way to go.

Microsoft NPS is free and works well enough but it's a bit like diving back into the early 2000's with regard to usability. You may have to spend a little bit to invest in a log viewer/interpreter to actually troubleshoot auth failures (Eg. IAS Log Viewer).
That said, it's so widely used that there's heaps of online resources.

View solution in original post

3 Replies 3
KarstenI
Kind of a big deal
Kind of a big deal
‎Jun 13 2024 4:44 PM
‎Jun 13 2024 4:44 PM

You could use 802.1X with the Microsoft NPS as a RADIUS server. This comes at no monetary cost but is also not very usable. There are open-source RADIUS servers like FreeRadiusthat could be used or PacketFence.

But you will not reach your initial goal that only domain joined PCs can join the network. Every user with an account can join from any device he wants.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
Brash
Kind of a big deal
Kind of a big deal
‎Jun 13 2024 5:27 PM
‎Jun 13 2024 5:27 PM

@KarstenI is bang on.

To meet your requirements of domain joined computers and user auth, a RADIUS server is the way to go.

Microsoft NPS is free and works well enough but it's a bit like diving back into the early 2000's with regard to usability. You may have to spend a little bit to invest in a log viewer/interpreter to actually troubleshoot auth failures (Eg. IAS Log Viewer).
That said, it's so widely used that there's heaps of online resources.

alemabrahao
Kind of a big deal
Kind of a big deal
‎Jun 13 2024 7:15 PM
‎Jun 13 2024 7:15 PM

Take a look at the post that I made.

 

https://community.meraki.com/t5/Wireless/FreeRadius-Integration-with-OpenLDAP-and-Dynamic-Vlan-Assig...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.