Meraki

Community

NPS woes with EAP-TLS & PEAP-MS-CHAPv2

Solved
Lukeyjay
Here to help
‎Oct 25 2023 6:23 PM
‎Oct 25 2023 6:23 PM

NPS woes with EAP-TLS & PEAP-MS-CHAPv2

Hi All,

Having some more woes with NPS and wondering if any of you have had this situation. We have a heap of old devices that are authenticating using PEAP-MSCHAPv2 and we are in the process of migrating them across to EAP-TLS. We need to keep both methods online for some time as some of the clients will not support EAP-TLS.

 

The problem I'm finding is differentiating these methos in our NPS polices. We have an existing NPS policy for PEAP-MSCHAPV2 and I have created a new policy above it for EAP-TLS. This hums away nicely if on the EAP-TLS policy I have a condition for specific domain computer's using windows groups. (something we don't want to do)

 

If I remove the group restriction all clients use the EAP-TLS policy. I have tried putting the old PEAP policy above the eap-tls policy with conditions on authentication method and it simply overlooks these and moves to the next policy.

 

Any ideas what I could be missing?

 

Screenshot 2023-10-26 115147.png

 

 

0 Kudos
1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 26 2023 12:44 PM
‎Oct 26 2023 12:44 PM

> I have created a new policy above it for EAP-TLS.

 

Don't do this.  Use PEAP-MSCHAPv2 and EAP-TLS in the same policy.  Complete your migration.  Then remove PEAP-MSCHAPv2.

View solution in original post

7 Replies 7
Brash
Kind of a big deal
Kind of a big deal
‎Oct 25 2023 6:42 PM
‎Oct 25 2023 6:42 PM

Can you send through some screenshots of the conditions in your policies?

I'll admit, from my experience with NPS I've had some similar issues getting policies to different on auth type.

0 Kudos
In response to Brash
Lukeyjay
Here to help
‎Oct 25 2023 10:02 PM
‎Oct 25 2023 10:02 PM

unfortunately, i have reverted the polices. I have been doing some reading and some people have mentioned the filtering only works well on the connection policy.

 

0 Kudos
alemabrahao
Kind of a big deal
‎Oct 25 2023 6:51 PM
‎Oct 25 2023 6:51 PM

With WLC it is much easier as you can configure the NAS-ID in the SSIDs, which is not possible with Meraki. I can't think of any other attribute that you can use in the policy condition.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
alemabrahao
Kind of a big deal
‎Oct 25 2023 6:56 PM
‎Oct 25 2023 6:56 PM

Maybe you can use the Called-Station-ID

 

https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_RADIUS_Authentication_...

 

 

https://wifinigel.blogspot.com/2014/03/the-microsoft-network-policy-server-nps.html?m=1

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 26 2023 12:44 PM
‎Oct 26 2023 12:44 PM

> I have created a new policy above it for EAP-TLS.

 

Don't do this.  Use PEAP-MSCHAPv2 and EAP-TLS in the same policy.  Complete your migration.  Then remove PEAP-MSCHAPv2.

In response to PhilipDAth
Lukeyjay
Here to help
‎Oct 26 2023 6:13 PM
‎Oct 26 2023 6:13 PM

Amazing, I didn't think of that approach. Will give it a go outside our prod hours and report back.

Thanks Philip!

In response to PhilipDAth
Lukeyjay
Here to help
‎Oct 26 2023 11:04 PM
‎Oct 26 2023 11:04 PM

worked like a charm!! thanks so much.

li.common.scroll-to.top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.