I have the following prereqs
Microsoft NPS as RADIUS
Cisco APs, not Meraki-manageble
Phones managed by Meraki MDM
Want to enable EAP-TLS for cert based authentication for phones
It seems like Microsoft NPS can only map a certificate to a user with the information in the Subject Alternative Name. If you compare a certificate created on Microsofts CA from the standard user template it registers the SAN info under other names: User Principal Name.
Meraki MDM only allows email, uri and DNS as options for the Subject Alternative Name field. So the NPS forwards the request to the domain controller instead that doesnt understand which user it is. The information that is sent to the domain controller is in the format of:
X509N:<S>CN=user@contoso.com
You can make it work by using the AD-attribute altSecurityIdentities and specifying that the user has that email, or by using the name mappings feature and simply adding the certificate on the user. Seems like shouldnt be necessary though.
Anyone know of a way to either make Meraki MDM allow more options for the SAN-field or make the NPS not require the user information to be in the specific Prinical Name option?
