Meraki

Community

Using RADIUS to authenticate both users and computers

KKC
New here
‎Feb 6 2023 10:20 AM
‎Feb 6 2023 10:20 AM

Using RADIUS to authenticate both users and computers

Hi,

 

We have a couple of MR42's and I want to see if this scenario can be archived using RADIUS.  Here are the requirements:

  • We want to use RADIUS to authenticate users against our Active Directory
  • Only the company provided-devices are allowed to connect to the WiFi network

If it is not doable with RADIUS, any alternative?

 

Thanks,

KK

0 Kudos
10 Replies 10
alemabrahao
Kind of a big deal
Kind of a big deal
‎Feb 6 2023 10:32 AM
‎Feb 6 2023 10:32 AM

Is the Meraki System Manager an option?

 

https://documentation.meraki.com/SM/Systems_Manager_Quick-Start

 

You can use Radius Mac filtering, but in my opinion, it's not a good option because you need to change your password policy, to an option with less security.

 

https://documentation.meraki.com/MS/Access_Control/Configuring_Microsoft_NPS_for_MAC-Based_RADIUS_-_...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Feb 6 2023 11:39 AM
‎Feb 6 2023 11:39 AM

This is possible, although it just became more complicated with Windows 11 22H2 when Microsoft (but surprise) disabled one of the most used protocols for doing it.

 

You'll need to use the Microsoft Certificate server (built into Windows), and deploy a certificate onto every device (for Windows machines you can do this via group policy automatically).

 

You'll use WPA2-Enterprise mode on the WiFi side, and I would use EAP-TLS as the authentication protocol.  You'll use Network Policy Server (NPS) on Windows to achieve this.

 

Meraki had a guide for doing this using the much simpler MSCHAPv2.  If you don't have Windows 11 machines in your environment, you can start with using this approach, and then add on certificates at a later point in time.

https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_RADIUS_Authentication_...

 

Otherwise - if you haven't done this before don't have certificate services already deployed - get someone in to help you.  It is massively more complicated now.

0 Kudos
In response to PhilipDAth
alemabrahao
Kind of a big deal
Kind of a big deal
‎Feb 6 2023 11:49 AM
‎Feb 6 2023 11:49 AM

Oh god how did i forget 802.1x authentication with certificate. 🤓

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to PhilipDAth
KKC
New here
‎Feb 6 2023 1:10 PM
‎Feb 6 2023 1:10 PM

I'll check this out.  I forgot about 802.1x too! 

 

We have only Windows 10 so it's very doable at the moment.

0 Kudos
KarstenI
Kind of a big deal
Kind of a big deal
‎Feb 6 2023 12:59 PM
‎Feb 6 2023 12:59 PM

The already suggested EAP-TLS is sadly not enough to solve this as the machine- and user authentication is decoupled. There are some workarounds but the only real way is to use TEAP (or the previous version EAP-FAST) as the EAP method because  here we can do EAP-Chaining which couples the user-authentication to the already done machine-authentication.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Kudos
In response to KarstenI
KKC
New here
‎Feb 6 2023 1:08 PM
‎Feb 6 2023 1:08 PM

Any detail and configuration examples about this approach?

0 Kudos
In response to KKC
KarstenI
Kind of a big deal
Kind of a big deal
‎Feb 6 2023 2:17 PM
‎Feb 6 2023 2:17 PM

Not sure if NPS supports it. This is for Cisco ISE, perhaps you can adopt it:

 

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216510-eap-chaining-wit...

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Kudos
In response to KarstenI
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Feb 6 2023 3:26 PM
‎Feb 6 2023 3:26 PM

NPS definitely does not support TEAP.

0 Kudos
In response to KarstenI
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Feb 6 2023 3:27 PM
‎Feb 6 2023 3:27 PM

I think EAP-TLS will be sufficient if he relaxes the conditions slightly and just does machine-based certificate authentication.

 

He can then at least verify that only authorised machines are attached to the network.

0 Kudos
In response to PhilipDAth
KarstenI
Kind of a big deal
Kind of a big deal
‎Feb 6 2023 10:48 PM
‎Feb 6 2023 10:48 PM

In this case he only knows this for his own machines. But unless *all* devices support EAP-TLS (I haven't seen this on any network) he can't make sure that the user connects with domain-credentials from his personal PC.

But I am completely with you that relaxing the requirements is the right way. Really achieving *this* goal is one of the hardest in the .1X implementation.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.