Meraki

Community

Restricting WPA3-Enterprise Network Access to Domain-Joined Computers

giovannip
Just browsing
‎Aug 22 2024 5:16 AM
‎Aug 22 2024 5:16 AM

Restricting WPA3-Enterprise Network Access to Domain-Joined Computers

Hi everyone,

I'm working on setting up a new WPA3-Enterprise network and I'm trying to figure out the best way to restrict access to only domain-joined computers. I'm hoping to leverage the security benefits of WPA3-Enterprise, but I also want to ensure that only authorized devices can connect to the network. 

 

Has anyone had experience with this? Are there any specific configurations or settings I should be aware of?

I'm using Cisco Meraki as my network equipment.

Any insights or recommendations would be greatly appreciated.

Thanks,

Giovanni

0 Kudos
3 Replies 3
Mloraditch
A model citizen
‎Aug 22 2024 8:20 AM
‎Aug 22 2024 8:20 AM

This is all determined by rules on your RADIUS server, whether Cisco ISE, NPS, or something else. The options are generally login/password based, certificate based, or a combination. I generally use certificates as I work in AD environments and we can do auto provisioning via GPOs to handle everything on the PCs. But there are a multitude of options out there. The Meraki side settings will mostly be agnostic to the Radius server used.

KH
Meraki Employee
Meraki Employee
‎Aug 22 2024 8:29 AM
‎Aug 22 2024 8:29 AM

Hey @giovannip 

 

This can be achieved by applying a GPO to domain-joined devices that issues them with a certificate through your internal CA for wireless.

You could then configure the WPA3-Enterprise with Radius and on the Radius server have the certificate be used as the authentication method. You should also add username/password to ensure only employees are connecting from the machine in question.

 

This would help ensure only domain-joined clients can authenticate/connect to the SSID.

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it
GIdenJoe
Kind of a big deal
Kind of a big deal
‎Aug 25 2024 10:28 AM
‎Aug 25 2024 10:28 AM

This is where computer authentication comes in.
Only accept the certs that have been distributed by your internal CA.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.