Machine auth on SSID

Solved
TheMightyGaur
Conversationalist

Machine auth on SSID

Looking to only allow domain joined machines on a SSID.  Was looking at radius auth but that seems to only check mac address or user accounts despite this statement in the config doc:

"Type or find the Domain Users group. This group should be located in the same domain as your RADIUS server.
Note: If RADIUS is being used for Machine Authentication, find the Domain Computers group instead." 

 

Can this be done using a computer group? If not, what is the best option to verify the computer and minimize complexity to the users?  we have about 1500 devices, so creating a mac account for each machine would be a bit cumbersome to maintain.

 

Thanks for any suggestions.

 

Using NPS for RADIUS.

1 Accepted Solution
GreenMan
Meraki Employee
Meraki Employee

Using X.509 certs (either user or machine) for Enterprise-802.1x is supported by Meraki APs using NPS as RADIUS    https://documentation.meraki.com/MR/Encryption_and_Authentication/RADIUS%3A_WPA2-Enterprise_With_EAP...

View solution in original post

4 Replies 4
GreenMan
Meraki Employee
Meraki Employee

Using X.509 certs (either user or machine) for Enterprise-802.1x is supported by Meraki APs using NPS as RADIUS    https://documentation.meraki.com/MR/Encryption_and_Authentication/RADIUS%3A_WPA2-Enterprise_With_EAP...

GIdenJoe
Kind of a big deal
Kind of a big deal

You need your NPS access rule to match a specific AD group. In this case that would be the domain computers group.  And only if that condition is met you can send the access-accept.

Usually when you create a network policy on NPS you need to put in following conditions:
nas-port-type = 802.11 wireless
called station id contiains SSIDname
domain computer = the machine group containing your windows machines.

And make sure this rule is above the default rules.

TheMightyGaur
Conversationalist

Thanks for your reply.  I have chosen a different route, but I appreciate your reply

PhilipDAth
Kind of a big deal
Kind of a big deal

You will also need to create a group policy to configure your macihnes to only perform machine auth.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels