Using EAP-TLS with Meraki MDMs SCEP cert and Microsoft NPS

MR45EOL
Here to help

Using EAP-TLS with Meraki MDMs SCEP cert and Microsoft NPS

I have the following prereqs

 

Microsoft NPS as RADIUS

Cisco APs, not Meraki-manageble

Phones managed by Meraki MDM

 

Want to enable EAP-TLS for cert based authentication for phones

 

It seems like Microsoft NPS can only map a certificate to a user with the information in the Subject Alternative Name. If you compare a certificate created on Microsofts CA from the standard user template it registers the SAN info under other names: User Principal Name.

 

Meraki MDM only allows email, uri and DNS as options for the Subject Alternative Name field. So the NPS forwards the request to the domain controller instead that doesnt understand which user it is. The information that is sent to the domain controller is in the format of:

 

X509N:<S>CN=user@contoso.com

 

You can make it work by using the AD-attribute altSecurityIdentities and specifying that the user has that email, or by using the name mappings feature and simply adding the certificate on the user. Seems like shouldnt be necessary though.

 

Anyone know of a way to either make Meraki MDM allow more options for the SAN-field or make the NPS not require the user information to be in the specific Prinical Name option?

4 Replies 4
alemabrahao
Kind of a big deal
Kind of a big deal

In my opinion, the solution you presented is the most viable. The ideal would be to open a ticket with both Mricosoft and Meraki.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
MR45EOL
Here to help

You mean by using the altSecurityIdentities attribute? 

 

I have opened a case with Meraki, dont have a valid support contract to contact Microsoft though.

alemabrahao
Kind of a big deal
Kind of a big deal

"You mean by using the altSecurityIdentities attribute?"

 

Yep

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
MR45EOL
Here to help

It seems like Microsoft will stop supporting using email in altSecurityIdentities in 2025 if you check KB5014754 

Get notified when there are additional replies to this discussion.