SSID with encryption 802.1x  with custom radius

tli
Comes here often

SSID with encryption 802.1x  with custom radius

Hi Guys , 

 

Is this a wrong confg  with meraki  or with the device's NIC  it self , we have configured an SSID  for  encryption 802.1x  with custom radius    -  But it happens for some users whose need to enter their user domain account (name and password)  each time before they finally athenticate on this SSID .
 
Can you please give me an clue on that so can improve this.
 
Thanks !
5 Replies 5
alemabrahao
Kind of a big deal
Kind of a big deal

Can you give more details  please?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
tli
Comes here often

Okay  , 

users are part of the the domain (active directory) once they are login in to they PC , they should automatically connected to the ssid wit encryption 802.1x  with custom radius , but they have to enter they user name and password to be able to connect on the ssid , that s what it is happening .

 

alemabrahao
Kind of a big deal
Kind of a big deal

Check if this option is enabled.

 

 

alemabrahao_0-1692987708031.png

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
KarstenI
Kind of a big deal
Kind of a big deal

The best way is to enable single sign on for the WLAN. If you are on a new Windows release you perhaps have to disable Credential Guard for this to work. Using client Certificates would be the better option. And all these options are ideally pushed with GPOs.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
DevOps_RC
Getting noticed

I don't want to assume anything, so if it's ok, can I confirm a few things first. When you say that it is using a custom radius, is the option selected 'my Radius server' from the option under Security>Enterprise with in the Wireless>Access Control part of the dashboard? 

DevOps_RC_0-1693209616566.png

 

If so, I assume that under the Radius settings you have it configured to point to the radius server, which is what I'm ultimately trying to lead you too. This could be an ISE appliance/Service or any other Radius server, but this is where I think you need to start your actual investigation as it is the configuration within the Radius server which will tell you how clients/devices are authenticating the network.

Which protocol is the policy that your clients should be matching to within the radius server (Apologies I'm using ISE terminology (I think)) EAP-TLS, PEAP, MS-CHAP...etc. How are clients/devices to authenticate, with a username/password or with a certificate, potentially both. The protocol will kinda determine which authentication method is to be used.

I know that you have said that entering credentials allows the users to login, but it may well be that users/devices are actually supposed to authenticate with certificates, but the radius also allows username/password.

I've had issue previously where computer accounts weren't located within the correct OU in AD, so a GPO which assigned the configuration for the wireless connection haven't been pushed out.

My advise is to start at the radius server, look to see how succesfull clients/devices authenticate, and look to then see why your failed clients don't automatically...I do hope that this does assist you in your investigation.

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels