Meraki

Community

Using EAP-TLS with Meraki MDMs SCEP cert and Microsoft NPS

MR45EOL
Here to help
‎Jun 12 2024 9:56 AM
‎Jun 12 2024 9:56 AM

Using EAP-TLS with Meraki MDMs SCEP cert and Microsoft NPS

I have the following prereqs

 

Microsoft NPS as RADIUS

Cisco APs, not Meraki-manageble

Phones managed by Meraki MDM

 

Want to enable EAP-TLS for cert based authentication for phones

 

It seems like Microsoft NPS can only map a certificate to a user with the information in the Subject Alternative Name. If you compare a certificate created on Microsofts CA from the standard user template it registers the SAN info under other names: User Principal Name.

 

Meraki MDM only allows email, uri and DNS as options for the Subject Alternative Name field. So the NPS forwards the request to the domain controller instead that doesnt understand which user it is. The information that is sent to the domain controller is in the format of:

 

X509N:<S>CN=user@contoso.com

 

You can make it work by using the AD-attribute altSecurityIdentities and specifying that the user has that email, or by using the name mappings feature and simply adding the certificate on the user. Seems like shouldnt be necessary though.

 

Anyone know of a way to either make Meraki MDM allow more options for the SAN-field or make the NPS not require the user information to be in the specific Prinical Name option?

0 Kudos
4 Replies 4
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jun 12 2024 10:16 AM
‎Jun 12 2024 10:16 AM

In my opinion, the solution you presented is the most viable. The ideal would be to open a ticket with both Mricosoft and Meraki.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
MR45EOL
Here to help
‎Jun 12 2024 10:18 AM
‎Jun 12 2024 10:18 AM

You mean by using the altSecurityIdentities attribute? 

 

I have opened a case with Meraki, dont have a valid support contract to contact Microsoft though.

0 Kudos
In response to MR45EOL
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jun 12 2024 10:20 AM
‎Jun 12 2024 10:20 AM

"You mean by using the altSecurityIdentities attribute?"

 

Yep

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
MR45EOL
Here to help
‎Jun 13 2024 10:36 AM
‎Jun 13 2024 10:36 AM

It seems like Microsoft will stop supporting using email in altSecurityIdentities in 2025 if you check KB5014754 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.