Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Meraki Wireless + Dot1x + Mac address

Shahrul
Comes here often
2 weeks ago
2 weeks ago

Meraki Wireless + Dot1x + Mac address

Hi,

Require help on how to configure authentication dot1x using user account + mac address. I believe this requires to be done on NPS side. Does anyone have any ideas on this?

0 Kudos
Subscribe
7 Replies 7
PhilipDAth
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

You won't be able to perform dual MAC+dot1x authentication using NPS (as in, MAC authenticate a machine and then dot1x authenticate a user).

However - that should not be required.  Instead use something like EAP-TLS.  Configure your environment to deploy certificates to machines (and/or users) and authenticate using that.

This is much stronger than stronger than using MAC-based authentication.

 

If instead you mean you want to be able to support devices doing EITHER MAC-based authentication or username/password authentication (for example), then that can be done with NPS - but it is pretty ugly.  You have to create AD accounts where the username and password are the MAC address of the device.

https://documentation.meraki.com/MR/Encryption_and_Authentication/MAC-Based_Access_Control_Using_Mic... 

0 Kudos
Subscribe
In response to PhilipDAth
Shahrul
Comes here often
2 weeks ago
2 weeks ago

thanks for your explaination. already checked on the MAC as username/password but it cant be done as the AD policy requires special character as the password. 

for the first option, the environment includes the scanner as well. so it seems impossible to generate cert.

0 Kudos
Subscribe
In response to Shahrul
PhilipDAth
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

If you go down this path you need to limit yourself to buying hardware that meets your security posture.  There are plenty of scanners and printers out there that support EAP-TLS.

You could also consider not enabling 802.1x on that port and simply using a sticky MAC address.  You can search for the feature on this page:
https://documentation.meraki.com/MS/Port_and_VLAN_Configuration/Switch_Ports 

0 Kudos
Subscribe
In response to PhilipDAth
Shahrul
Comes here often
2 weeks ago
2 weeks ago

I see. Is it possible to bind the user with mac address on the AD side?

 

Or could we Whitelist all the mac addresses and deny the rest. Could we achieve this using the meraki wireless? 

0 Kudos
Subscribe
In response to Shahrul
PhilipDAth
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

No with Microsoft NPS.  To be able to do something like this you need to use an authentication protocol called TEAP, and Microsoft NPS does not support this.

But no one does this.  Everyone uses certificate-based authentication instead that needs this kind of security.

0 Kudos
Subscribe
In response to PhilipDAth
Shahrul
Comes here often
2 weeks ago
2 weeks ago

Noted. Any documentation on the meraki setup with the dot1x with certificate-based? 

0 Kudos
Subscribe
In response to Shahrul
PhilipDAth
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

Not that I am aware of, and it is quite a project.  You might want to consider getting someone in to help you with this.

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.