Meraki

Community

Meraki Authentication with 802.1x based on hostname of the computer

Solved
FelipeTeevo
Here to help
‎Sep 1 2021 1:28 PM
‎Sep 1 2021 1:28 PM

Meraki Authentication with 802.1x based on hostname of the computer

I'm in the middle of an implementation that one of the needs is for an SSID with 802.1x authentication to be based in addition to the user, if the computer's hostname is within an AD group.

With wireshark, I can identify that the Meraki AP does not send this information. I was able to activate to send a NAS-ID, in this case the SSID name to be able to differentiate the polices but I do not identify the sending of the computer's hostname.

Can anyone help how to enable or how to configure 802.1x authentication based on the hostname of the computer that should be in an AD group?

Labels:
0 Kudos
1 Accepted Solution
In response to PhilipDAth
FelipeTeevo
Here to help
‎Sep 15 2021 9:08 AM
‎Sep 15 2021 9:08 AM

Hi Philip,

 

Just to get back to you, I managed to solve it in an easier way. In access control, on radius advanced settings, i put on called-station-id, as custom, %n which in this way sends to the radius server as username, hostname.domain.local

FelipeTeevo_0-1631722110439.png

 

View solution in original post

0 Kudos
9 Replies 9
Bruce
Kind of a big deal
‎Sep 1 2021 2:13 PM
‎Sep 1 2021 2:13 PM

You’re not going to be able to achieve this with Meraki Authentication. You need to use 802.1x with your own RADIUS server which is integrated with AD (examples are Microsoft NPS, Cisco ISE). Then you’ll be able to configure the client to authenticate using the host/computer rather than the user credentials.

 

If you want to authenticate both the user and computer you are going to need a more advanced RADIUS server than Microsoft NPS (probably something like Cisco ISE), and use something like EAP-TEAP, or use some of the profiling capabilities of ISE to determine if it’s the host you expect.

In response to Bruce
FelipeTeevo
Here to help
‎Sep 2 2021 5:42 AM
‎Sep 2 2021 5:42 AM

Hi Bruce, how are you?

 

The customer currently has a wifi backbone with Cisco Aironet without Cisco ISE. It has an SSID with 802.1x authenticating to a Radius on Windows and the policy is based on an AD group that owns the computers.

0 Kudos
In response to Bruce
FelipeTeevo
Here to help
‎Sep 15 2021 9:10 AM
‎Sep 15 2021 9:10 AM

Hi Bruce,

 

Just to get back to you, I managed to solve it in an easier way. In access control, on radius advanced settings, i put on called-station-id, as custom, %n which in this way sends to the radius server as username, hostname.domain.local

FelipeTeevo_0-1631722188900.png

 

 

In response to FelipeTeevo
Bruce
Kind of a big deal
‎Sep 15 2021 1:51 PM
‎Sep 15 2021 1:51 PM

@FelipeTeevo, thanks for the update. Glad to hear you found a way to achieve your desired outcome. That’s a relatively new feature, good to see it’s enabling people to use the Meraki kit in the way they want.

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Sep 1 2021 2:43 PM
‎Sep 1 2021 2:43 PM

I've confused by this one.  You mention Meraki Authentication in the title but talk about the AP not sending the info, suggesting it is sending something to something else (perhaps RADIUS).

 

You can configure Windows 10 to do hostname authentication, username authentication, or send the hostname prior to login, and then the username after login.  This requires a RADIUS server like Microsoft NPS.

 

You can configure this in group policy or under advanced settings for the WiFi connection.  Check out step 3 in this link:

https://www.otago.ac.nz/its/otago114286.pdf 

 

0 Kudos
In response to PhilipDAth
FelipeTeevo
Here to help
‎Sep 2 2021 5:44 AM
‎Sep 2 2021 5:44 AM

Hi Philip, how are you?

 

This configuration you sent is for 802.1x authentication on the wired network, correct? In this case I mean authentication with 802.1x, by wifi so that it is based on the hostname, authenticating in an AD group on a radius server running on a windows server. Currently the client has a simple structure with cisco aironet without cisco ISE and it works perfectly.

0 Kudos
In response to FelipeTeevo
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Sep 2 2021 5:57 AM
‎Sep 2 2021 5:57 AM

Same deal - wired or WiFi.  Just configure Windows 10 to authenticate with whatever you want.

0 Kudos
In response to PhilipDAth
FelipeTeevo
Here to help
‎Sep 2 2021 6:53 AM
‎Sep 2 2021 6:53 AM

Phillip,

Tell me if you agree with me:
- in the current scenario, running a wireshark, I can capture from the same workstation I use for testing, in this case authenticating on the cisco aironet network, it receives the hostname as user as a parameter. So I think that this config you informed is already applied, right? Image below:

FelipeTeevo_0-1630590525096.png

 

At Meraki, on the same workstation, authentication only arrives with the username:

FelipeTeevo_1-1630590725471.png

 

 

 

0 Kudos
In response to PhilipDAth
FelipeTeevo
Here to help
‎Sep 15 2021 9:08 AM
‎Sep 15 2021 9:08 AM

Hi Philip,

 

Just to get back to you, I managed to solve it in an easier way. In access control, on radius advanced settings, i put on called-station-id, as custom, %n which in this way sends to the radius server as username, hostname.domain.local

FelipeTeevo_0-1631722110439.png

 

0 Kudos
Back to the top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.