Radius Authentication | Check on certificate and users

Solved
FrancescodeRosa
Just browsing

Radius Authentication | Check on certificate and users

Hi everyone.

Recently, I’ve been running some tests on my NPS server for RADIUS authentication with my Meraki access points.

 

My goal is to authenticate via RADIUS only computers with a certificate issued by my CA and users who belong to a specific domain group.

 

Right now, the certificate authentication is working but i can't find a way to add a check on the domain groups.

 

Do you have any tips?

 

Thank you

 

1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal

NPS doesn't have a capability to say that a computer certifcate must be authenticated first and then a user certificate.  You need a product like Cisco ISE to do that.

 

But group policy lets you configure the WiFi settings on your devices, and in group policy you can say that devices must authenticate as a computer first (prior to user login), and then as a user when they log in.

View solution in original post

7 Replies 7
PhilipDAth
Kind of a big deal
Kind of a big deal

Your NPS policy will need to match "Domain Computers", and whatever group the users are in.

 

You'll need to configure group policy to do Computer and User authentication.

 

You'll need to configure group policy to issue certificates both to the computers and the users.

Brash
Kind of a big deal
Kind of a big deal

I could be wrong but I think when you authenticate using PEAP/EAP-TLS with machine certificates, you can't perform user/group based checks as that information isn't passed onto the RADIUS server.

You can probably do it with user certificates though.

PhilipDAth
Kind of a big deal
Kind of a big deal

Windows machines that join AD have a machine account.  When you use machine based certificate authentication, they present that certificate in the same way that a user does.

 

NPS then extracts the username name from that certificate (weather it be user or machine), and checks that it is allowed access.

FrancescodeRosa
Just browsing

So, the suggestion is to create a template for a certificate for the user as well and perform the verification on both certificates? Correct?

PhilipDAth
Kind of a big deal
Kind of a big deal

Correct.  You should have both a computer and a user certificate template.

FrancescodeRosa
Just browsing

Ok, but I have a doubt.
Where do I specify that my NPS server must verify both certificates and not just one? Within the configuration, I don’t see a way to select more than one certificate."

PhilipDAth
Kind of a big deal
Kind of a big deal

NPS doesn't have a capability to say that a computer certifcate must be authenticated first and then a user certificate.  You need a product like Cisco ISE to do that.

 

But group policy lets you configure the WiFi settings on your devices, and in group policy you can say that devices must authenticate as a computer first (prior to user login), and then as a user when they log in.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels