Meraki

Community

Meraki Wireless + Dot1x + Mac address

Shahrul
Comes here often
‎Apr 15 2024 10:26 PM
‎Apr 15 2024 10:26 PM

Meraki Wireless + Dot1x + Mac address

Hi,

Require help on how to configure authentication dot1x using user account + mac address. I believe this requires to be done on NPS side. Does anyone have any ideas on this?

0 Kudos
7 Replies 7
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 16 2024 1:09 AM
‎Apr 16 2024 1:09 AM

You won't be able to perform dual MAC+dot1x authentication using NPS (as in, MAC authenticate a machine and then dot1x authenticate a user).

However - that should not be required.  Instead use something like EAP-TLS.  Configure your environment to deploy certificates to machines (and/or users) and authenticate using that.

This is much stronger than stronger than using MAC-based authentication.

 

If instead you mean you want to be able to support devices doing EITHER MAC-based authentication or username/password authentication (for example), then that can be done with NPS - but it is pretty ugly.  You have to create AD accounts where the username and password are the MAC address of the device.

https://documentation.meraki.com/MR/Encryption_and_Authentication/MAC-Based_Access_Control_Using_Mic... 

0 Kudos
In response to PhilipDAth
Shahrul
Comes here often
‎Apr 16 2024 1:19 AM
‎Apr 16 2024 1:19 AM

thanks for your explaination. already checked on the MAC as username/password but it cant be done as the AD policy requires special character as the password. 

for the first option, the environment includes the scanner as well. so it seems impossible to generate cert.

0 Kudos
In response to Shahrul
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 16 2024 1:27 AM
‎Apr 16 2024 1:27 AM

If you go down this path you need to limit yourself to buying hardware that meets your security posture.  There are plenty of scanners and printers out there that support EAP-TLS.

You could also consider not enabling 802.1x on that port and simply using a sticky MAC address.  You can search for the feature on this page:
https://documentation.meraki.com/MS/Port_and_VLAN_Configuration/Switch_Ports 

0 Kudos
In response to PhilipDAth
Shahrul
Comes here often
‎Apr 16 2024 2:53 AM
‎Apr 16 2024 2:53 AM

I see. Is it possible to bind the user with mac address on the AD side?

 

Or could we Whitelist all the mac addresses and deny the rest. Could we achieve this using the meraki wireless? 

0 Kudos
In response to Shahrul
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 16 2024 11:39 AM
‎Apr 16 2024 11:39 AM

No with Microsoft NPS.  To be able to do something like this you need to use an authentication protocol called TEAP, and Microsoft NPS does not support this.

But no one does this.  Everyone uses certificate-based authentication instead that needs this kind of security.

0 Kudos
In response to PhilipDAth
Shahrul
Comes here often
‎Apr 17 2024 2:27 AM
‎Apr 17 2024 2:27 AM

Noted. Any documentation on the meraki setup with the dot1x with certificate-based? 

0 Kudos
In response to Shahrul
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 17 2024 12:08 PM
‎Apr 17 2024 12:08 PM

Not that I am aware of, and it is quite a project.  You might want to consider getting someone in to help you with this.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.