Meraki

tli · ‎Aug 25 2023

Hi Guys ,

Is this a wrong confg with meraki or with the device's NIC it self , we have configured an SSID for encryption 802.1x with custom radius - But it happens for some users whose need to enter their user domain account (name and password) each time before they finally athenticate on this SSID .

Can you please give me an clue on that so can improve this.

Thanks !

alemabrahao · ‎Aug 25 2023

Can you give more details please?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

tli · ‎Aug 25 2023

Okay ,

users are part of the the domain (active directory) once they are login in to they PC , they should automatically connected to the ssid wit encryption 802.1x with custom radius , but they have to enter they user name and password to be able to connect on the ssid , that s what it is happening .

alemabrahao · ‎Aug 25 2023

Check if this option is enabled.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

KarstenI · ‎Aug 25 2023

The best way is to enable single sign on for the WLAN. If you are on a new Windows release you perhaps have to disable Credential Guard for this to work. Using client Certificates would be the better option. And all these options are ideally pushed with GPOs.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

DevOps_RC · ‎Aug 28 2023

I don't want to assume anything, so if it's ok, can I confirm a few things first. When you say that it is using a custom radius, is the option selected 'my Radius server' from the option under Security>Enterprise with in the Wireless>Access Control part of the dashboard?

If so, I assume that under the Radius settings you have it configured to point to the radius server, which is what I'm ultimately trying to lead you too. This could be an ISE appliance/Service or any other Radius server, but this is where I think you need to start your actual investigation as it is the configuration within the Radius server which will tell you how clients/devices are authenticating the network.

Which protocol is the policy that your clients should be matching to within the radius server (Apologies I'm using ISE terminology (I think)) EAP-TLS, PEAP, MS-CHAP...etc. How are clients/devices to authenticate, with a username/password or with a certificate, potentially both. The protocol will kinda determine which authentication method is to be used.

I know that you have said that entering credentials allows the users to login, but it may well be that users/devices are actually supposed to authenticate with certificates, but the radius also allows username/password.

I've had issue previously where computer accounts weren't located within the correct OU in AD, so a GPO which assigned the configuration for the wireless connection haven't been pushed out.

My advise is to start at the radius server, look to see how succesfull clients/devices authenticate, and look to then see why your failed clients don't automatically...I do hope that this does assist you in your investigation.

Meraki

Community

SSID with encryption 802.1x with custom radius

SSID with encryption 802.1x with custom radius