topic Re: RADIUS Authentication with WPA2-Enterprise in Wireless

RADIUS Authentication with WPA2-Enterprise

thanos.theod — Mon, 14 Feb 2022 13:48:48 GMT

Hello,

I ve setup the Nps and meraki configuration settings in order to use the authentication method using the steps in the above url.

Everything seems ok and the AP's are contacting with the radius server,.I want to test the scenario of a device(windows/android) that has not the Self signed certificate installed so it cannot access the wifi and the scenario where the device has the certificate and have access to the wifi.Is it something else i have to do except from the configuration that is explained below

https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_RADIUS_Authentication_with_WPA2-Enterprise

Re: RADIUS Authentication with WPA2-Enterprise

Scott Fella — Mon, 14 Feb 2022 15:02:53 GMT

You need to look at EAP-TLS not EAP-PEAP. EAP-TLS requires a certificate on the device and radius server and for both devices to trust the server. EAP-PEAP uses a username/password auth that only requires a radius certificate in which the device has to accept or trust. In your post, you need to implement EAP-TLS and that would be rules specified on the radius server.

Re: RADIUS Authentication with WPA2-Enterprise

thanos.theod — Wed, 16 Feb 2022 06:45:29 GMT

Hello,

Thank you for your answer.Can i ask you if there is a configuration sheet that describes all this process(how to configure nps and devices).
Also i would like to ask you if i should try the connection in non domain or domain windows devices and if i can try it in android devices too.Is there an example of doing this test to the devices and how to make changes for the certificate?

I have found the above configuration about it.Is that correct?

https://www.dar-fi.com/configure-eap-tls-using-ise-and-meraki-ap/

Re: RADIUS Authentication with WPA2-Enterprise

patoberli — Wed, 16 Feb 2022 12:37:56 GMT

This guide should still be valid, even with NPS 2019:

https://networklessons.com/wireless/peap-and-eap-tls-on-server-2008-and-cisco-wlc/

It's for a WLC and not Meraki setup, but the important part here is the NPS and not the WLC.

Re: RADIUS Authentication with WPA2-Enterprise

Scott Fella — Wed, 16 Feb 2022 14:32:19 GMT

Search the internet for the following: "cisco wlc and NPS radius", "cisco wlc and NPS PEAP", "cisco wlc and NPS EAP"

This will provide you with guides, blogs and videos that will help you out.

Re: RADIUS Authentication with WPA2-Enterprise

thanos.theod — Tue, 22 Feb 2022 08:40:02 GMT

Thanks for your support!
I have just configured in Radius the above (see above attached images)for the eap-tls following the instractions of the guides.
I test the connection to the Radius from Meraki dashboard and i still get error in testing.
In event Viewer on Radius i get "The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server." Error code 22.In android device i use the configuration for tls

Can you help me if you have issued something like this?

https://networklessons.com/uncategorized/eap-tls-certificates-for-wireless-on-android

Re: RADIUS Authentication with WPA2-Enterprise

Scott Fella — Tue, 22 Feb 2022 15:03:49 GMT

I don't have NPS in my lab. What I can say is that when you use EAP-TLS, the device has to have the radius root CA installed in the trusted certificate store. The device would also need to have a valid user/device certificate installed properly. Have you reached out to Meraki support or the Meraki forum?

Re: RADIUS Authentication with WPA2-Enterprise

thanos.theod — Thu, 07 Apr 2022 06:47:56 GMT

Hello,

Is there any documentation of using a 3rd party certificate in EAP-TLS both in server ad clients(android,windows) according to the description of meraki's configuration sheet?

Is the proceedure the same as discribed above" device has to have the radius root CA installed in the trusted certificate store. The device would also need to have a valid user/device certificate installed properly."

https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_RADIUS_Authentication_with_WPA2-Enterprise

Acquire a certificate from a trusted Certificate Authority
As long as the CA used is trusted by clients on the network, a certificate can be purchased and uploaded into NPS to accomplish and server identity verification (required by clients). Common examples of trusted CAs include GoDaddy and VeriSign.