Meraki

Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Radius Authentication | Check on certificate and users

Solved
FrancescodeRosa
New here
Monday
Monday

Radius Authentication | Check on certificate and users

Hi everyone.

Recently, I’ve been running some tests on my NPS server for RADIUS authentication with my Meraki access points.

 

My goal is to authenticate via RADIUS only computers with a certificate issued by my CA and users who belong to a specific domain group.

 

Right now, the certificate authentication is working but i can't find a way to add a check on the domain groups.

 

Do you have any tips?

 

Thank you

 

Labels:
0 Kudos
1 Accepted Solution
In response to FrancescodeRosa
PhilipDAth
Kind of a big deal
Kind of a big deal
Tuesday
Tuesday

NPS doesn't have a capability to say that a computer certifcate must be authenticated first and then a user certificate.  You need a product like Cisco ISE to do that.

 

But group policy lets you configure the WiFi settings on your devices, and in group policy you can say that devices must authenticate as a computer first (prior to user login), and then as a user when they log in.

View solution in original post

0 Kudos
7 Replies 7
PhilipDAth
Kind of a big deal
Kind of a big deal
Monday
Monday

Your NPS policy will need to match "Domain Computers", and whatever group the users are in.

 

You'll need to configure group policy to do Computer and User authentication.

 

You'll need to configure group policy to issue certificates both to the computers and the users.

Brash
Kind of a big deal
Kind of a big deal
Monday
Monday

I could be wrong but I think when you authenticate using PEAP/EAP-TLS with machine certificates, you can't perform user/group based checks as that information isn't passed onto the RADIUS server.

You can probably do it with user certificates though.

0 Kudos
In response to Brash
PhilipDAth
Kind of a big deal
Kind of a big deal
Monday
Monday

Windows machines that join AD have a machine account.  When you use machine based certificate authentication, they present that certificate in the same way that a user does.

 

NPS then extracts the username name from that certificate (weather it be user or machine), and checks that it is allowed access.

0 Kudos
FrancescodeRosa
New here
Tuesday
Tuesday

So, the suggestion is to create a template for a certificate for the user as well and perform the verification on both certificates? Correct?

0 Kudos
In response to FrancescodeRosa
PhilipDAth
Kind of a big deal
Kind of a big deal
Tuesday
Tuesday

Correct.  You should have both a computer and a user certificate template.

0 Kudos
In response to PhilipDAth
FrancescodeRosa
New here
Tuesday
Tuesday

Ok, but I have a doubt.
Where do I specify that my NPS server must verify both certificates and not just one? Within the configuration, I don’t see a way to select more than one certificate."

0 Kudos
In response to FrancescodeRosa
PhilipDAth
Kind of a big deal
Kind of a big deal
Tuesday
Tuesday

NPS doesn't have a capability to say that a computer certifcate must be authenticated first and then a user certificate.  You need a product like Cisco ISE to do that.

 

But group policy lets you configure the WiFi settings on your devices, and in group policy you can say that devices must authenticate as a computer first (prior to user login), and then as a user when they log in.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.