Meraki

Community

Machine auth on SSID

Solved
TheMightyGaur
Conversationalist
‎Oct 11 2024 9:11 AM
‎Oct 11 2024 9:11 AM

Machine auth on SSID

Looking to only allow domain joined machines on a SSID.  Was looking at radius auth but that seems to only check mac address or user accounts despite this statement in the config doc:

"Type or find the Domain Users group. This group should be located in the same domain as your RADIUS server.
Note: If RADIUS is being used for Machine Authentication, find the Domain Computers group instead." 

 

Can this be done using a computer group? If not, what is the best option to verify the computer and minimize complexity to the users?  we have about 1500 devices, so creating a mac account for each machine would be a bit cumbersome to maintain.

 

Thanks for any suggestions.

 

Using NPS for RADIUS.

0 Kudos
1 Accepted Solution
GreenMan
Meraki Employee
Meraki Employee
‎Oct 11 2024 9:15 AM
‎Oct 11 2024 9:15 AM

Using X.509 certs (either user or machine) for Enterprise-802.1x is supported by Meraki APs using NPS as RADIUS    https://documentation.meraki.com/MR/Encryption_and_Authentication/RADIUS%3A_WPA2-Enterprise_With_EAP...

View solution in original post

4 Replies 4
GreenMan
Meraki Employee
Meraki Employee
‎Oct 11 2024 9:15 AM
‎Oct 11 2024 9:15 AM

Using X.509 certs (either user or machine) for Enterprise-802.1x is supported by Meraki APs using NPS as RADIUS    https://documentation.meraki.com/MR/Encryption_and_Authentication/RADIUS%3A_WPA2-Enterprise_With_EAP...

GIdenJoe
Kind of a big deal
Kind of a big deal
‎Oct 11 2024 11:32 AM
‎Oct 11 2024 11:32 AM

You need your NPS access rule to match a specific AD group. In this case that would be the domain computers group.  And only if that condition is met you can send the access-accept.

Usually when you create a network policy on NPS you need to put in following conditions:
nas-port-type = 802.11 wireless
called station id contiains SSIDname
domain computer = the machine group containing your windows machines.

And make sure this rule is above the default rules.

In response to GIdenJoe
TheMightyGaur
Conversationalist
‎Oct 21 2024 8:28 AM
‎Oct 21 2024 8:28 AM

Thanks for your reply.  I have chosen a different route, but I appreciate your reply

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 13 2024 12:36 PM
‎Oct 13 2024 12:36 PM

You will also need to create a group policy to configure your macihnes to only perform machine auth.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.