Using RADIUS to authenticate both users and computers

KKC
New here

Using RADIUS to authenticate both users and computers

Hi,

 

We have a couple of MR42's and I want to see if this scenario can be archived using RADIUS.  Here are the requirements:

  • We want to use RADIUS to authenticate users against our Active Directory
  • Only the company provided-devices are allowed to connect to the WiFi network

If it is not doable with RADIUS, any alternative?

 

Thanks,

KK

10 Replies 10
alemabrahao
Kind of a big deal
Kind of a big deal

Is the Meraki System Manager an option?

 

https://documentation.meraki.com/SM/Systems_Manager_Quick-Start

 

You can use Radius Mac filtering, but in my opinion, it's not a good option because you need to change your password policy, to an option with less security.

 

https://documentation.meraki.com/MS/Access_Control/Configuring_Microsoft_NPS_for_MAC-Based_RADIUS_-_...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
PhilipDAth
Kind of a big deal
Kind of a big deal

This is possible, although it just became more complicated with Windows 11 22H2 when Microsoft (but surprise) disabled one of the most used protocols for doing it.

 

You'll need to use the Microsoft Certificate server (built into Windows), and deploy a certificate onto every device (for Windows machines you can do this via group policy automatically).

 

You'll use WPA2-Enterprise mode on the WiFi side, and I would use EAP-TLS as the authentication protocol.  You'll use Network Policy Server (NPS) on Windows to achieve this.

 

Meraki had a guide for doing this using the much simpler MSCHAPv2.  If you don't have Windows 11 machines in your environment, you can start with using this approach, and then add on certificates at a later point in time.

https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_RADIUS_Authentication_...

 

Otherwise - if you haven't done this before don't have certificate services already deployed - get someone in to help you.  It is massively more complicated now.

alemabrahao
Kind of a big deal
Kind of a big deal

Oh god how did i forget 802.1x authentication with certificate. 🤓

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
KKC
New here

I'll check this out.  I forgot about 802.1x too! 

 

We have only Windows 10 so it's very doable at the moment.

KarstenI
Kind of a big deal
Kind of a big deal

The already suggested EAP-TLS is sadly not enough to solve this as the machine- and user authentication is decoupled. There are some workarounds but the only real way is to use TEAP (or the previous version EAP-FAST) as the EAP method because  here we can do EAP-Chaining which couples the user-authentication to the already done machine-authentication.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
KKC
New here

Any detail and configuration examples about this approach?

KarstenI
Kind of a big deal
Kind of a big deal

Not sure if NPS supports it. This is for Cisco ISE, perhaps you can adopt it:

 

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216510-eap-chaining-wit...

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
PhilipDAth
Kind of a big deal
Kind of a big deal

NPS definitely does not support TEAP.

PhilipDAth
Kind of a big deal
Kind of a big deal

I think EAP-TLS will be sufficient if he relaxes the conditions slightly and just does machine-based certificate authentication.

 

He can then at least verify that only authorised machines are attached to the network.

KarstenI
Kind of a big deal
Kind of a big deal

In this case he only knows this for his own machines. But unless *all* devices support EAP-TLS (I haven't seen this on any network) he can't make sure that the user connects with domain-credentials from his personal PC.

But I am completely with you that relaxing the requirements is the right way. Really achieving *this* goal is one of the hardest in the .1X implementation.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
Get notified when there are additional replies to this discussion.