Wireless authentication based on Domain Joined machines only

Solved
alice007
Comes here often

Wireless authentication based on Domain Joined machines only

Hi,

 

I have Meraki configured to use WP2-Enterprise using Windows as NPS server.  

 

There are multiple polices configured e.g. policy 2 is to check if user is part of certain windows group and it works perfect, here is that policy

Annotation 2019-06-25 160913.png

 

I have created another policy and placed it up above this policy i.e. as policy 1.  My intent with this policy is to allow any computer which is part of specific group in domain be allowed to connect to wireless, instead of user. I am after machine authentication . Here is what it looks like

 

2.png

 

However, above is not working i.e..  When I click the Wifi Windows machine part of the domain group it still Prompts to enter credentials User/password rather then automatically logging in to wifi, note both policies are configured under same SSID, using WPA2 Enterprise with my Radius server.

 

What I am missing here, any pointers or advise is welcome

 

 

 

1 Accepted Solution
pjc
A model citizen

In your PEAP authentication settings for your Machine Network Policy, in NPS (under constaints tab), have you got Eap types 'smart Card or other certificate' in there ?

 

peap.PNG

View solution in original post

7 Replies 7
alice007
Comes here often

no one 😞 

pjc
A model citizen

In your PEAP authentication settings for your Machine Network Policy, in NPS (under constaints tab), have you got Eap types 'smart Card or other certificate' in there ?

 

peap.PNG

alice007
Comes here often

Thanks. I missed that certificate part.

 

On separate note, just wondering if there any any security concerns with this setup

Its WPA2 Enterprise with machine Authentication, whereas certificate is issued by Domain to machines. I dont see any , or am I overlooking ?

Brons2
Building a reputation

Maybe it's just me, but allowing AD machine accounts to connect to WiFi without authentication sounds like a bad idea from a security standpoint.  I would not allow this in my network.

 

Maybe only for something like a print server, and then only if interactive logins from non-domain admins was disabled.

 

But anyway.  Good luck.

alice007
Comes here often

Can you be please bit more specific like what are your security concerns in this scenario i.e. Computers which are domain joined beforehand using WiredLan and then added to specific Group are allowed to be part of Wireless LAN (WPA2 Enterprise) whereas authentication is based on Computer accounts.?

 

Really interested to hear specific security concerns or what could go wrong.

 

 

Brons2
Building a reputation

How can you be sure that someone nefarious won't log into the computer itself using a local account?  It's already on the network, so if a bad actor was able to gain access, they could then start searching for other assets to compromise.

 

This could be mitigated somewhat by having the hard drive encrypted and a bios password set.  If those aren't done though, gaining access to a local account is fairly trivial for anyone who has physical access, with readily available hacking tools.

GlenW70
Here to help

We are working towards this solution today for a couple of reasons.

1) When a laptop gets patched and rebooted today it does not reconnect to the network (assuming it was only wifi connected) until a user interactively logs on.  With COVID keeping folks out of many offices for weeks or months on end this has been problematic

2) When an IT person attempts to logon to a laptop via wireless (currently using RADIUS with NPS to AD) that logon fails because there is no network connection until after successful login (exception being cached credentials).  This is a pain for IT and forces them to connect wired before then can even start their work.

3) If you have any sort of logon script or any other processing that should happen at logon this doesn't work properly either (cart before the horse)

 

To mitigate some of the concerns mentioned above our AD team uses LAPS to automate local admin account password changes every month and each one is stored in a secure server that requires multi factor auth to logon to.

We also encrypt the drives of all mobile device making boot disks and other ways to reset the local accounts very difficult.

 

Lastly, we are using 2 AD groups one that we can add devices we want to deny (policy 1) and the other those we want to permit (unsure but could ultimately be domain computers with exceptions weeded out in policy 1) in policy 2.

 

Hope this helps.  Also, good luck with setting this up.  I have found MANY different articles and approaches on this.  Many focus on the user auth side.  The machine auth is more complicated and there isn't a single recipe for success I've found so far anyway.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels