Meraki

Community

Radius Authentication | Check on certificate and users

Solved
FrancescodeRosa
Just browsing
‎Oct 21 2024 2:34 AM
‎Oct 21 2024 2:34 AM

Radius Authentication | Check on certificate and users

Hi everyone.

Recently, I’ve been running some tests on my NPS server for RADIUS authentication with my Meraki access points.

 

My goal is to authenticate via RADIUS only computers with a certificate issued by my CA and users who belong to a specific domain group.

 

Right now, the certificate authentication is working but i can't find a way to add a check on the domain groups.

 

Do you have any tips?

 

Thank you

 

Labels:
0 Kudos
1 Accepted Solution
In response to FrancescodeRosa
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 22 2024 2:41 AM
‎Oct 22 2024 2:41 AM

NPS doesn't have a capability to say that a computer certifcate must be authenticated first and then a user certificate.  You need a product like Cisco ISE to do that.

 

But group policy lets you configure the WiFi settings on your devices, and in group policy you can say that devices must authenticate as a computer first (prior to user login), and then as a user when they log in.

View solution in original post

0 Kudos
7 Replies 7
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 21 2024 3:36 AM
‎Oct 21 2024 3:36 AM

Your NPS policy will need to match "Domain Computers", and whatever group the users are in.

 

You'll need to configure group policy to do Computer and User authentication.

 

You'll need to configure group policy to issue certificates both to the computers and the users.

Brash
Kind of a big deal
Kind of a big deal
‎Oct 21 2024 5:55 PM
‎Oct 21 2024 5:55 PM

I could be wrong but I think when you authenticate using PEAP/EAP-TLS with machine certificates, you can't perform user/group based checks as that information isn't passed onto the RADIUS server.

You can probably do it with user certificates though.

0 Kudos
In response to Brash
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 21 2024 6:15 PM
‎Oct 21 2024 6:15 PM

Windows machines that join AD have a machine account.  When you use machine based certificate authentication, they present that certificate in the same way that a user does.

 

NPS then extracts the username name from that certificate (weather it be user or machine), and checks that it is allowed access.

0 Kudos
FrancescodeRosa
Just browsing
‎Oct 22 2024 12:48 AM
‎Oct 22 2024 12:48 AM

So, the suggestion is to create a template for a certificate for the user as well and perform the verification on both certificates? Correct?

0 Kudos
In response to FrancescodeRosa
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 22 2024 1:40 AM
‎Oct 22 2024 1:40 AM

Correct.  You should have both a computer and a user certificate template.

0 Kudos
In response to PhilipDAth
FrancescodeRosa
Just browsing
‎Oct 22 2024 2:38 AM
‎Oct 22 2024 2:38 AM

Ok, but I have a doubt.
Where do I specify that my NPS server must verify both certificates and not just one? Within the configuration, I don’t see a way to select more than one certificate."

0 Kudos
In response to FrancescodeRosa
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 22 2024 2:41 AM
‎Oct 22 2024 2:41 AM

NPS doesn't have a capability to say that a computer certifcate must be authenticated first and then a user certificate.  You need a product like Cisco ISE to do that.

 

But group policy lets you configure the WiFi settings on your devices, and in group policy you can say that devices must authenticate as a computer first (prior to user login), and then as a user when they log in.

0 Kudos
Back to the top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.