Hi Guys,
We have been done setup Radius authentication for the wireless users. Here windows users are easily connected using radius authentication with domain users but what is the scope for the Mobile devices? As we know that username with the domain is not working with the phones like window machines. Any scopes or suggestions?
Your prompt response will be highly appreciated
Many Thanks.
Also with non-domain-members like phones you can authenticate against AD. But for phones EAP-TLS is the better solution. Just imagine you change your password on your PC and the phone (with the saved old password) tries to reconnect several times.
Hi Karstenl,
Did you mean that using Radius MAC-based authentication for mobile devices?
Many Thanks.
No, EAP-TLS uses certificates. MAC based authentication should not be used for corporate access as MAC addresses can easily be spoofed.
Also think about using Sentry with the Meraki MDM. By enrolling the device in MDM it can automatically get a certificate to connect to a secure SSID.
Yeah true but MDM has required additional license from the Meraki support.
Yes, it's a paid license. But IMO worth it at least for company owned mobile devices.
Thanks but we can achieve this without MDM too right? I think using Radius EAP-TLS we can get this done.
Yes, you just have to compare the cost of the license with the effort you have to make in building and operating your own CA. If the CA is only for WLAN, I assume that Meraki SM could be less pricy.
If you are a friend of RedHat/CentOS/Fedora-Linux, then dogtag-CA could be a solution. For Windows Server there is a build in CA.
OK Thanks for that.
Mobile devices should be able to authenticate using an AD username/password (PEAP-MSCHAPv2). I have done this a million times.
Agree with @PhilipDAth this can be done. I setup a test bench server & client doing this very thing a few weeks again.
Of course PEAP can be used...and will work for a specific amount of time. But please note that @KarstenI made a very valid point: "Just imagine you change your password on your PC and the phone (with the saved old password) tries to reconnect several times". It's definitely error prone, as seen with more than one client of ours.