Radius auth with no local AD server

Luke44
Just browsing

Radius auth with no local AD server

Hi there

 

Our computers and devices are all Azure joined.

 

Azure AD doesn’t offered radius authentication as yet. Perhaps it will in the future. Alternatively, perhaps Meraki will allow wifi authentication to Azure AD down the track.

 

What’s the easiest way to authenticate wifi connections without spinning up a local server? I am loathed to bring a server out of mothballs for the sole purpose of acting as a radius server for the Meraki APs.

 

I created an Azure VM but the cost is excessive when it is simply acting as a radius server.

 

Have looked at external radius providers but  this isn’t ideal due to the way Azure AD talks to the 3rd party. Ie it’s not fully synchronous.

 

My alternative is to setup policies on the MX to send wifi clients to their respective VLANs and keep the wifi password to myself. I’m not sure how the MX84 will go with so many clients assigned to VLAN specific policies.

 

We have around 40 staff in the office, each staff member has at least two wifi devices. Some devices are BYOD, most of them are corporate devices.

 

Thankyou.

4 Replies 4
ww
Kind of a big deal
Kind of a big deal

ThibaultH
Here to help

Hi Luke 44 👨‍💻

 

Since you're an Azure guy, have you given a look at the Azure Radius image ? 

--> https://azuremarketplace.microsoft.com/en-us/marketplace/apps/cloud-infrastructure-services.radius-2...

 

Could save you cost (and maintenance) rather than installing the Radius role on a VM

Maybe that could work for you ? 

 

🤘

 

Linkedin |Twitter@ThibaultHenry
Ch'timi from the heart
PhilipDAth
Kind of a big deal
Kind of a big deal

There is currently no good solution for this case.

 

There are provides like Jump Cloud that do cloud based RADIUS with Azure AD integration.

https://jumpcloud.com/product/cloud-radius/ 

What I don't like about this service is when you move users across to it they get an email asking them to click on a link to reset their password.  I don't like encouraging users to respond to emails like this.

Jump Cloud need to do this to get an original copy of their password to make this work.

 

Meraki have a feature coming out called Trusted Access.  This is basically a Meraki managed certificate provider.  You need a Systems Manager licence for this - but the endpoints do not need to be managed by Systems Manager.  Systems Manager is only used to configure the WiFi and install the certificate so the user doesn't have to do anything.

Systems Manager itself supports Azure AD autentication (which we use ourselves - we have no local AD).  However the Trusted Access beta doesn't support this at the moment (but it is still in beta).  Hopefully this will get resolved.  Then you'll be able to give users a link to the Meraki self service portal.  They'll log into the Meraki portal using their Azure AD credentials and then select the option to add their device.  This then deploys a certificate onto their device and they then authenticate to WiFi using EAP-TLS.

Luke44
Just browsing

@ThibaultH 

 

I believe this scenario still requires an on prem AD server connected to Azure via AD Services.

 

I was really hoping to avoid on prem infrastructure such as a local server.

 

Thank you anyway. 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels