Meraki

Community

radius settings MS NPS Server

zfrangi
Conversationalist
‎Feb 25 2019 7:31 AM
‎Feb 25 2019 7:31 AM

radius settings MS NPS Server

Im looking to compare settings here for others that are using a MS NPS server to authenticate users for secure wifi. We have had a meraki wireless system in place now for five years. From time to time we get staff that complain that they can no longer authenticate to the secure wifi on their windows laptops. I have a suspicion that it happens whenever their A/D credentials expire or when they are first logging onto the machine for the first time and need to change the temp password. What we typically do is hardwire their laptop and have them sign in and then it clears up. I have a feeling that the configuration on our nps server may not be setup right. Something tells me that we need to have the machine authentication turned on as well?  
 

Does the machine authentication need to be done in the connection request policy and or network policies on the nps server?  For example do I need to modify the conditions and add a machine group?  Does it also need to be specified on the GPO object thats being pushed out to the machine as well?  In looking over the guide from meraki

 

https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_RADIUS_Authentication_...

 

It appears that they are using user authentication for the policy on the nps server but  machine authentication on the gpo.  

 
0 Kudos
6 Replies 6
NolanHerring
Kind of a big deal
‎Feb 25 2019 7:41 AM
‎Feb 25 2019 7:41 AM

I do machine authentication specifically for the issue of either a shared laptop having a new user login for the first time, or at least getting the machine on the network for it to allow users to update creds etc.

Assuming your using GPO to configure your laptops, you can configure it so it only allows machine auth, or both machine/user. On the NPS server you'll have to decide there as well which method you want to use. I don't have access to ours but I believe we have both enabled (just in case). However, when a laptop turns on or reboots, it will auto-join our corp SSID as soon as it is finished booting.
Nolan Herring | nolanwifi.com
TwitterLinkedIn
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Feb 25 2019 11:03 AM
‎Feb 25 2019 11:03 AM

If you have users who are mostly using WiFi you need to permit both their computer (I typically allow Domain Computers) and their user account.

 

Otherwise you get this situation when the machine boots up; it is not connected to the WiFi.  The user tries to login, but it can only use cached credentials.  If the credentials don't match a newer change then they can actually log into the machine but not attach to the WiFi because the WiFi only knows the new credentials (it is talking to AD).

 

If you allow machine authentication as well the machine starts up.  It can now also do group policy processing.  The user goes to log in, but because the machine can now talk to a domain controller it doesn't have to use cached credentials.  It actually authenticates directly against the AD controller.  If that passes the users logins in, and then re-authenticates to the WiFi using the known good credentials.

In response to PhilipDAth
zfrangi
Conversationalist
‎Feb 26 2019 8:45 AM
‎Feb 26 2019 8:45 AM

So basically I need to modify the connection request policy and the network policies and put in domain users and domain computers?npsserver1.PNGnpsserver2.PNG

 

 

0 Kudos
In response to zfrangi
zfrangi
Conversationalist
‎Feb 26 2019 9:01 AM
‎Feb 26 2019 9:01 AM

So nevermind apparently I mispoke. You can only setup user and machine auth on the network policy only on the nps server.  The connection request policy doesnt have those options.  Im attaching screenshots of what my changes look like.  What sort of errors should I be looking for in the event log if something isnt working right?  Crossing my fingers!!

 

Thanks

 

 

 

look  npsserver4.PNGnpsserver3.PNG

0 Kudos
In response to zfrangi
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Feb 26 2019 9:39 AM
‎Feb 26 2019 9:39 AM

"Connection Request Policies" just say what requests to process localling on "this" server rather than sending them to another server.

You should not need to change the Connect Request Policies.  The default policy, which says to process everything localy, is fine.

0 Kudos
In response to zfrangi
Jp2
New here
‎Mar 5 2020 6:09 PM
‎Mar 5 2020 6:09 PM

Hi zfrangi,

 

Can you please tell me how to get to the screenshot you have listed. I may need to start a new conversation, but were having an issue, in short - we have Meraki setup to use Radius server, however, when a laptop connects,  the user is not prompted to enter username and password which we want to happen, but when they connect with their mobile it does have a prompt and the screenshot you have posted I can find anywhere to enable user authentication which may be our issue. Any help appreciated, if I do need to start a new conversation please let me know.

 

Thank You.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.