Meraki

MarcusR · ‎Aug 17 2020

I have searched the forum, but not finding a specific answer. Is there a way to only allow a user to connect on domain issued devices? In other words, just because you have credentials to login doesn't mean you can connect with a personal device.

I have seen one or the other method, but not both.

CptnCrnch · ‎Aug 18 2020

@Johan_Oosterwaa:

Please take a look at https://tools.ietf.org/html/rfc7170 (Tunnel Extensible Authentication Protocol (TEAP) Version 1) or https://en.wikipedia.org/wiki/Extensible_Authentication_Protocol#Tunnel_Extensible_Authentication_Pr... as a starting point. 🙂

Also, the link provided to the blog entry about bow it's configured might help further.

Btw. and again: Windows is the only OS that differentiates machine from user authentication.

View solution in original post

CptnCrnch · ‎Aug 17 2020

That‘s not something that would be Meraki-specific. It mostly depends on your RADIUS and endpoint infrastructure:

Cisco ISE would allow you to leverage Anyconnect Network Access Manager and EAP chaining („propietary„ solution)
Another option is using Cisco ISE other with Win10 2004 and TEAP (the new standard for EAP chaining)

PhilipDAth · ‎Aug 17 2020

No.

L2TP over IPSec only supports PAP based authentication. The standard provides no way to do both a machine and user authentication.

When AnyConnect gets released for MX then you could use something like Cisco ISE to achieve this (as pointed out by @CptnCrnch ).

TEAP is the long term dream goal, but we need RADIUS servers to be upgraded to support this, and much broader client support. Give it 7 more years.

CptnCrnch · ‎Aug 18 2020

@PhilipDAth as we're in the Wirless corner, I didn't think about L2TP over IPSec. 😉

TEAP on the other hand is already there, I was able to fiddle around with it last year in October: https://www.ise-support.com/2020/05/29/using-teap-for-eap-chaining/

As Windows is the only OS that seperates User from Machine based authentication, there's no need to dream further. 😉

PhilipDAth · ‎Aug 18 2020

Silly me.

But only Windows 10 (and recent Windows 10) supports this, and nothing else. Correct?

I think this user might be better off using certificates and not bother with usernames based authentication.

CptnCrnch · ‎Aug 18 2020

Exactly @PhilipDAth. Windows 10 2004 is the first edition that supports TEAP.

Btw. you can leverage certificate based authentication for machine and user. 😉

Johan_Oosterwaa · ‎Aug 18 2020

We use certificate based authentication to only allow domain laptop on our network.

Most importantly, the EAP protocol is capable of carrying only one Authentication at a given time. It can be either User or Computer and never both. That is Protocol limitation defined in RFC. Thus the AAA or Radius Server has no method of knowing if this request is coming from an unauthenticated machine.

CptnCrnch · ‎Aug 18 2020