Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
About brconflict
Community Record
13
Posts
1
Kudos
0
Solutions
Badges
Sep 14 2022
5:41 AM
How many users? Are they all using the same certificate, or are they generating certs for individual users? In my org, we have thousands of users all over the globe.
... View more
Feb 27 2021
6:35 PM
Thanks for the input. See, the problem with Cisco ISE is, it provides a host and wealth of other features we simply don't need. We're not going to Cisco ISE because it does "too much" and requires too much effort to set up to solve one simple problem. It would be cheaper and far simpler to use Meraki MDM with Sentry rules, but, the MDM won't co-exist with our approved MDM, unfortunately. Plus, the Meraki MDM price doesn't compete with our chosen options.
... View more
Feb 23 2021
1:57 PM
Thanks! It doesn't really solve my problem, so maybe Meraki would consider stepping up beyond the MDM/Sentry rule(s). MFA: If a new user authenticates on the network each day, with a single MFA in a Splash Page, then the user can be "authenticated" through the day, free to roam. If a new device MAC address authenticates during the day, or another device on a separate AP or network authenticates as the same user, that new device is prompted for MFA. Some tout that password expiry is a bad idea, because users tend to write down passwords. I disagree, because you never otherwise would know if your user/pass was ever compromised and may not manifest as a breach until years after the credentials were unwittingly compromised. Plus, when users, who typically write passwords down commit their first password, they may write that one down, anyway.
... View more
Feb 9 2021
7:46 PM
If this is a new solution, try contacting Cisco TAC and open a P1 case with them. They know both devices, and should be able to help.
... View more
Feb 9 2021
7:41 PM
Is there a way to authenticate a user along with the hardware on WiFi (WPA2 Enterprise) without the device being enrolled in the Meraki MDM? We are unable to use the MDM at the feature-level it's currently at for both Windows and Mac OS users, but need to authenticate the user as well as the hardware device. Thanks!
... View more
Jun 2 2020
1:10 PM
If that's the case, I'm not fully understanding if/why Okta cannot or will not use it. I've worked on them for over a year in the hopes to get them to implement, but they've said it was not going to happen. We're researching other workarounds, which centralize AUTH, but allow Meraki wired 802.1x to work with it.
... View more
Jun 2 2020
6:56 AM
To be clear, RADIUS with MSCHAPv2 works fine for AD, which is the method we're using. The goal, ultimately is to remove AD altogether and use a single cloud-based solution. Okta is almost there, but without MSCHAPv2, it's simply not possible. As for using MSCHAPv2 in SAMBA, I suspect there's a licensing challenge there since SAMBA is free (GNU), and Okta Authentication isn't. Perhaps they could build it into the package as value-add, but I suspect they would be naive to assume Microsoft wouldn't try to stop that if Okta is a competitor. I don't personally know the mechanics of that challenge they have, but their engineering team said they've not been allowed to employ it for whatever reason.
... View more
Jun 1 2020
2:00 PM
1 Kudo
I've been campaigning for a working solution to how users Authenticate for wired port security, and it's sort deflating that the industry standard methods are simply not working for me me. My goal: In my org, I have the desire to use Okta for a user-base, and to have all networks around the globe (all Meraki MS switches) to Auth users with Okta. Okta doesn't support RADIUS MSCHAPv2 (Microsoft refuses to work with them, I'm told). Meraki MS switches don't support EAP-TTLS or PAP RADIUS. Okta supports a cloud-based RADIUS solution, but again, doesn't support MSCHAPv2, the only protocol Meraki does support. My workaround: Since I need this global network to exist, and for my teams to onboard/offboard users as needed, meanwhile allow users to easily travel to our offices without hindrance, I'm having to provide: Active Directory running NPS (RADIUS) at each location, or in AWS. Authenticate wired port security users directly with each location's AD/NPS. Use Okta agent and push-groups to push users and group assignments to each integrated AD. Outlook: What are the chances Meraki will extend Authentication at wired ports to use EAP-TTLS, or to work with Okta on a real integration? Thanks!
... View more
Sep 5 2019
10:31 AM
I would regard Google Authentication as a temp fix for Single VLAN locations where a user-base directory for RADIUS Authentication is not available. There's some serious drawbacks to using Google Authentication: 1 - Must generate a GSuite App-Specific password per user. 2 - Must install or activate a mobile-config profile on Mac OS (per network) or Windows machines (per user). 3 - You cannot re-use the same SSID in multiple locations if one is Google Auth, but the other location uses RADIUS. 4 - I have had reports of users unable to connect to other open networks, such as hotel-net WiFi networks. Deleting the Google authentication mobile.config profile for Mac OS users seems to allow that. 5 - No dynamic VLAN assignments possible via Google alone, and you cant even set up separate SSID's for different VLANs and expect some users to work on one SSID vs another. You might find some functionality via Sentry rules in Meraki System Manager (MDM), which could potentially specify which SSID's a tagged user's hardware can connect to, but this would be cumbersome to manage, and not really a best-practice.
... View more
Sep 18 2017
7:40 AM
Actually, we need both. I need to authenticate the user and machine, but the user is more important. So much effort was put into trying to sell us a Meraki solution, to the point that the features we wanted seemed trivial, and Meraki can handle pretty much anything we needed, in some way. But the results are that RADIUS or AD are the only two options--no LDAP, which I need most. But alas, we are doing other work to make the more old-school RADIUS work for us.
... View more
Sep 1 2017
2:54 PM
I'm troubleshooting an issue with with RADIUS AUTH, and the use of pushed 802.1x profiles. We have a "shared" user/password that will use RADIUS IETF attributes to assign a user to specific VLANs, based on LDAP groups (behind the RADIUS). The Authentication, group assignment, etc. work fine, and the user is assigned the correct VLAN. After first entry, the user's 802.1x authentication is stored in the MacOS keychain (at the system level). It all works as we need. However... We want to push the 802.1x profile with the included "shared" username/password to all users, and have them not ever be prompted for 802.1x login from the switch. The 802.1x profile is pushed, and the MacOS keychain shows it stored there, again at the system level, not user level. When connecting to a wired Meraki switchport, the user is still prompted for the 802.1x login. The MacOS machine is prompted for the 802.1x credentials pushed from Meraki. It doesn't put this together that this prompt and the pushed profile are for the same thing. Any suggestions? The issue seems to be that the 802.1x profile is pushed to the system and not the user, which is what the Meraki switch requests.
... View more
Aug 30 2017
7:27 AM
Thanks for the response. Unfortunately, by our customer security requirements, we can't use AD. We're a total Linux, MacOS shop. We use FreeIPA. We use Aruba WiFi since it supports PMKID and LDAP-s, but Meraki WiFi had not at the time (maybe still doesn't). I'll keep digging. Surely Meraki has some answer to this outside Windows. Thanks again!!
... View more
Aug 28 2017
2:49 PM
Hello, I'm evaluating going Meraki from an ASA for perimeter security at some locations, and the only two potential hangups I'm having are: 1. Does the Client VPN configuration support dynamic Group Policy / Access based on RADIUS Group attributes (like MS250 Access Policies for switchport security)? 2. Is there any consideration by Meraki of future support for LDAP-s AUTH across the board? That's what I use heavily today for Authentication and Authorization, but it doesn't appear Meraki supports LDAP at all.
... View more
My Top Kudoed Posts
| Subject | Kudos | Views |
|---|---|---|
| 1 | 5572 |
© 2024 Cisco Systems, Inc.
