Looking for assistance with NPS cert based Wifi for Macs and PCs

validity-infras
Just browsing

Looking for assistance with NPS cert based Wifi for Macs and PCs

So we have a somewhat unique situation that I am trying to figure out any solution that works.. We are currently using Meraki hardware for our wireless system and we have a directive from management to work to integrate out various systems so that we can deploy a company-wide wireless network(s) that used cert based authentication instead of the current username/password that times out every couple weeks. 

 

For further context, we have windows based servers with a local AD domain synced to Office 365. We are also using one of our DCs as a CA, but it is not being used for anything.

 

We have several NPS servers setup and we can get our windows, domain joined machines to work fairly well on the Meraki System. The problem comes in with our Mac users. Our AD domain was setup moons ago when using a .int TLD for the domain name along with other best practice issues that would be too disruptive to properly fix. As of now, we can't get our Mac machines to properly authenticate or trust the Wi-Fi networks when we use the NPS profiles/certs.

 

We did recently get invested in a PKI system through digicert that we are currently using for our Client VPN and have been trying to use auto-enrolled certs from that, but similarly to no avail. The final nail in the coffin is that we are under a budget crunch, so investing in something like JumpCloud or some other online hosted RADIUS service is not happening anytime soon.

 

I have looked at the documentation for Setting up 802.1x and we can do user authentication fairly well, but we have been instructed to get machine/certificate based authentication working. 

 

Long story short, what I am hoping to find is an article or video or something that discusses setting up windows NPS to interact with Meraki SSIDs so that both domain joined PCs and non-domain joined Macs can use one or more SSIDs to do cert based authentication. 

6 Replies 6
alemabrahao
Kind of a big deal
Kind of a big deal

Check the documentation.

 

 

https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_RADIUS_Authentication_...

 

https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_EAP-TTLS___PAP_Authent...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
PhilipDAth
Kind of a big deal
Kind of a big deal

>We are also using one of our DCs as a CA

 

If you are not using the CA yet - I STRONGLY recommend you uninstall it - and install a new one on a dedicated virtual machine.  You can't upgrade an AD controller with a CA server installed, which will create a future upgrade problem for you.

 

As far as the Mac's go - as long as you have install your CA certificate as a trusted root certificate, they should be able to connect.

PhilipDAth
Kind of a big deal
Kind of a big deal

ps. I tend to use EAP-TLS these days (rather than PEAP) for authentication due to its broad support across lots of different device types.

validity-infras
Just browsing

Forgot to setup email alerts for this topic. Unfortunately the AD CA was up and running long before I got here, so I am stuck with it now. The documentation doesn't help much as I have followed and am able to get the whole system to work fabulously for our Windows users. The issue is our Mac users. There are three running theories as to the root issue. The first is that the domain was setup not with best practice's in mind; using a non-routable .int for example. The second is that we are missing something on the NPS side as we have the Meraki wireless network setup exactly as the documentation describes and it all works great for our windows users. The third is that we are missing something on our Mac MDM (JAMF) side in distributing the 802.1x profile and/or the certs.

alemabrahao
Kind of a big deal
Kind of a big deal

Why don't you open a support case?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
validity-infras
Just browsing

I did and got zero assistance. I was told to take the issue up with either Microsoft or our PKI provider as the issue wasn't on their end, essentially. 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels