Hello, I validated the steps in this guide on how to set up EAP-TTLS/PAP Username+Password Authentication with Entra ID Lookup. I found it hard to understand from this guide https://documentation.meraki.com/Platform_Management/Access_Manager/Design_and_Configure/EAP-TTLS%2F%2FPAP_Username_Password_Authentication_with_Entra_ID_Lookup that you are required to set the security groups or the users in the Enterprise application for credentials of the user being controlled and validated by using TTLS. The only row that tells this is the authentication flow so you really need to read this to understand that you have to do this in my opinion. I found this by comparing EAP-TTLS vs EAP-TLS guides where there is a different authentication flow. EAP-TTLS uses EntraID to compare attributes. EAP-TLS uses IDP sync local database to compare attributes using the certificate. I would love if this would become more clear for other people having issues doing the configuration for EAP-TTLS! 🙂 Authentication Flow (EAP-TTLS) First, let’s try to understand the authentication flow for this specific use case. As shown in the diagram below, our goal is to enable end-users or endpoints connect to the network (SSID or a switch port) using their domain username and password. The authentication flow is: The endpoint initiates the connection with the SSID or switch port. The network device will request the identity of the endpoint. The user will enter their username and password or the endpoint uses the saved credentials that will be sent to network device. The network device will forward the identity information within a RADIUS packet to Cisco Meraki Cloud over a Cisco proprietary AES-256-bit encrypted TLS tunnel. Cisco Meraki Cloud will authenticate the user directly against Entra ID. Cisco Meraki Cloud would have already synchronized users, user groups and user attributes from Entra ID Graph API integration and stored them in its local database. Access Manager evaluates the session against the configured rules – a rule is matched if all the defined conditions (like user identity from Entra ID, endpoint identity, network information and others) are matched and the corresponding configured authorization will be applied as a result. The resulting authorization (for example SGT, VLAN and others) will be sent back to the network device for enforcement. The endpoint will be connected successfully. Authentication Flow (EAP-TLS) Let's start by understanding the authentication flow for this use case. The goal is to enable network access (SSID or switch port) for users and endpoints based on their installed certificates, as shown in the diagram: The authentication flow consists of these steps: The endpoint initiates the connection with the SSID or Switch port. The Network Device requests the identity of the endpoint. The endpoint responds with the configured certificate information for this particular connection. The Network Device forwards the identity information within a RADIUS packet to the Cisco Meraki Cloud over a proprietary AES-256-bit encrypted TLS tunnel. The Cloud has already synchronized users, user-groups and user-attributes using Entra ID Graph API integration, and stored them in a local database. Access Manager performs certificate authentication, including validity check and known CA. Access Manager evaluates the session based on configured rules. A rule matches if all defined conditions such as user identity (from Entra ID), device identity, and network information are met. When a rule matches, the corresponding authorization is applied. The resulting authorization - in this case, tagging endpoints with an SGT and VLAN - is received and enforced by the Network Device. The endpoint is successfully connected.
... View more
