- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Meraki Wireless + Dot1x + Mac address
Hi,
Require help on how to configure authentication dot1x using user account + mac address. I believe this requires to be done on NPS side. Does anyone have any ideas on this?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You won't be able to perform dual MAC+dot1x authentication using NPS (as in, MAC authenticate a machine and then dot1x authenticate a user).
However - that should not be required. Instead use something like EAP-TLS. Configure your environment to deploy certificates to machines (and/or users) and authenticate using that.
This is much stronger than stronger than using MAC-based authentication.
If instead you mean you want to be able to support devices doing EITHER MAC-based authentication or username/password authentication (for example), then that can be done with NPS - but it is pretty ugly. You have to create AD accounts where the username and password are the MAC address of the device.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks for your explaination. already checked on the MAC as username/password but it cant be done as the AD policy requires special character as the password.
for the first option, the environment includes the scanner as well. so it seems impossible to generate cert.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you go down this path you need to limit yourself to buying hardware that meets your security posture. There are plenty of scanners and printers out there that support EAP-TLS.
You could also consider not enabling 802.1x on that port and simply using a sticky MAC address. You can search for the feature on this page:
https://documentation.meraki.com/MS/Port_and_VLAN_Configuration/Switch_Ports
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I see. Is it possible to bind the user with mac address on the AD side?
Or could we Whitelist all the mac addresses and deny the rest. Could we achieve this using the meraki wireless?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No with Microsoft NPS. To be able to do something like this you need to use an authentication protocol called TEAP, and Microsoft NPS does not support this.
But no one does this. Everyone uses certificate-based authentication instead that needs this kind of security.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Noted. Any documentation on the meraki setup with the dot1x with certificate-based?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not that I am aware of, and it is quite a project. You might want to consider getting someone in to help you with this.