Meraki

Community

iOS and WPA2 with Radius Authentication

Solved
Son
Here to help
‎Aug 15 2019 8:10 AM
‎Aug 15 2019 8:10 AM

iOS and WPA2 with Radius Authentication

Hi All,

 

We are about to deploy our Meraki wireless solution in our business and out of the blue a new requirement has come up which we were not told about before!

 

We have a requirement to allow some corporate owned iOS devices (iPads and iPhones) to be accessible on the corporate network, however, we are using Microsoft NPS server with PEAP authentication and a certificate from a trusted CA and allowing Domain Computers to be authorised onto the SSID. Obviously iPads and iPhones cannot be a Domain Computer so how is it best to utilise the NPS server and create a new policy to seamlessly allow these devices onto the network but restricting them by device not user. I guess some sort of MAC authentication would be best here. 

 

We want to use these tools only at the moment not purchase anything else such as Cisco ISE as an NAC.

 

If someone could help and provide any documentation that would be great!

 

Thanks

 

Sonny

1 Accepted Solution
JohnT
Getting noticed
‎Aug 15 2019 9:55 AM
‎Aug 15 2019 9:55 AM

You have to add the user to the authentication group instead of the computer which will give the user access to the corporate WiFi.  If you also want to lock it down to a single device you need to enter the Mac Address in the "Verify Caller-Id:" field on the Dial-In tab in Active Directory.  If the user has more than one IOS device you will need to use regular expressions like A1B2C3D4E5F6 | A2B3C4D5E6F7.

 

2019-08-15 09_51_39-Window.png

View solution in original post

10 Replies 10
JohnT
Getting noticed
‎Aug 15 2019 9:55 AM
‎Aug 15 2019 9:55 AM

You have to add the user to the authentication group instead of the computer which will give the user access to the corporate WiFi.  If you also want to lock it down to a single device you need to enter the Mac Address in the "Verify Caller-Id:" field on the Dial-In tab in Active Directory.  If the user has more than one IOS device you will need to use regular expressions like A1B2C3D4E5F6 | A2B3C4D5E6F7.

 

2019-08-15 09_51_39-Window.png

In response to JohnT
jdsilva
Kind of a big deal
‎Aug 15 2019 10:08 AM
‎Aug 15 2019 10:08 AM

You should be able to install a cert from your CA via your MDM for corp owned IOS devices so they can authenticate to the WiFi the same way a domain machine would. 

 

http://blog.brokennetwork.ca | @jdsilva
0 Kudos
In response to JohnT
Son
Here to help
‎Aug 16 2019 5:49 AM
‎Aug 16 2019 5:49 AM

Hi John,

 

Thanks for this, so are we supposed to add the hyphens in as your screenshot denotes or should we just enter the characters only? See below a copy of our NPS policy, I had to create a new one to match the same SSID but this time with an AD user group which has the permitted user in who requires access with an iOS device and I have added the MAC address in the Verify Caller-ID for that user who i've asked to test. So all being well this will implement user / MAC authentication into one? Let me know if you spot anything incorrect with this?  Thanks!

 

Example.GIF

In response to Son
JohnT
Getting noticed
‎Aug 16 2019 2:11 PM
‎Aug 16 2019 2:11 PM

HI Sonny, that looks correct.  I usually test with the user first and no MAC address to limit the breaking points.  Once the user auth works, I add the MAC address.  I believe you need the hyphens.

 

-John

0 Kudos
In response to JohnT
Son
Here to help
‎Aug 21 2019 7:12 AM
‎Aug 21 2019 7:12 AM

Massive thanks John this is working as expected.

 

Now got to figure out why the traffic is not being routed as expected for these devices! Hopefully it is not anything to do with the Radius policy but doubt it, will review that and raise another case if necessary!

 

Thank you

PhilipDAth
Kind of a big deal
Kind of a big deal
‎Aug 15 2019 3:15 PM
‎Aug 15 2019 3:15 PM

If you have permission, export the certificate from the computer (including the private key) and then import it onto your iOS device.

0 Kudos
In response to PhilipDAth
JohnT
Getting noticed
‎Aug 15 2019 3:39 PM
‎Aug 15 2019 3:39 PM

The problem is that when you use NPS it authenticates the computer account in a security group.  I don't know of a way to add an IOS device to the domain even with a certificate.  Unless I'm missing something here. 

0 Kudos
SantiagoGarces
Conversationalist
‎Aug 17 2019 9:49 AM
‎Aug 17 2019 9:49 AM

on the SSID enable group policies and select whitelist to allow iPhones, Mac, IPad or whichever you want

0 Kudos
SLR
Building a reputation
‎Aug 23 2019 12:12 PM
‎Aug 23 2019 12:12 PM

we are doing something similar and access via wifi on phone/handheld devices crossed my mind as well because I have all domain computers/users to be able to connect to the wifi
we are doing radius athentication - does the accepted solution apply to our use case scenario as well?

we will have guest wifi ssid I am assuming that would be WPA2-PSK with a supplied password. I guess all phones/handhelds can connect that way instead.
0 Kudos
In response to SLR
JohnT
Getting noticed
‎Aug 26 2019 11:04 AM
‎Aug 26 2019 11:04 AM

@SLR If you are connecting with WPA-PSK this does not apply.  This is only relevant if you want to add your phone/handheld devices to the corporate wifi that uses Radius with domain authentication.  Hope this helps.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.