https://community.cisco.com/t5/wireless/meraki-wireless-dot1x-mac-address/m-p/5466237#M291053 <P>You won't be able to perform dual MAC+dot1x authentication using NPS (as in, MAC authenticate a machine and then dot1x authenticate a user).</P><P>However - that should not be required. Instead use something like EAP-TLS. Configure your environment to deploy certificates to machines (and/or users) and authenticate using that.</P><P>This is much stronger than stronger than using MAC-based authentication.</P><P>If instead you mean you want to be able to support devices doing EITHER MAC-based authentication or username/password authentication (for example), then that can be done with NPS - but it is pretty ugly. You have to create AD accounts where the username and password are the MAC address of the device.</P><P><A href="https://documentation.meraki.com/MR/Encryption_and_Authentication/MAC-Based_Access_Control_Using_Microsoft_NPS_-_MR_Access_Points" target="_self" rel="nofollow noopener noreferrer">https://documentation.meraki.com/MR/Encryption_and_Authentication/MAC-Based_Access_Control_Using_Microsoft_NPS_-_MR_Access_Points</A> </P> Tue, 16 Apr 2024 08:09:00 GMT Philip D'Ath 2024-04-16T08:09:00Z https://community.cisco.com/t5/wireless/meraki-wireless-dot1x-mac-address/m-p/5466236#M291052 <P>Hi,</P><P>Require help on how to configure authentication dot1x using user account + mac address. I believe this requires to be done on NPS side. Does anyone have any ideas on this?</P> Tue, 16 Apr 2024 05:26:41 GMT https://community.cisco.com/t5/wireless/meraki-wireless-dot1x-mac-address/m-p/5466236#M291052 ShahrulEzwvn 2024-04-16T05:26:41Z https://community.cisco.com/t5/wireless/meraki-wireless-dot1x-mac-address/m-p/5466237#M291053 <P>You won't be able to perform dual MAC+dot1x authentication using NPS (as in, MAC authenticate a machine and then dot1x authenticate a user).</P><P>However - that should not be required. Instead use something like EAP-TLS. Configure your environment to deploy certificates to machines (and/or users) and authenticate using that.</P><P>This is much stronger than stronger than using MAC-based authentication.</P><P>If instead you mean you want to be able to support devices doing EITHER MAC-based authentication or username/password authentication (for example), then that can be done with NPS - but it is pretty ugly. You have to create AD accounts where the username and password are the MAC address of the device.</P><P><A href="https://documentation.meraki.com/MR/Encryption_and_Authentication/MAC-Based_Access_Control_Using_Microsoft_NPS_-_MR_Access_Points" target="_self" rel="nofollow noopener noreferrer">https://documentation.meraki.com/MR/Encryption_and_Authentication/MAC-Based_Access_Control_Using_Microsoft_NPS_-_MR_Access_Points</A> </P> Tue, 16 Apr 2024 08:09:00 GMT https://community.cisco.com/t5/wireless/meraki-wireless-dot1x-mac-address/m-p/5466237#M291053 Philip D'Ath 2024-04-16T08:09:00Z https://community.cisco.com/t5/wireless/meraki-wireless-dot1x-mac-address/m-p/5466238#M291054 <P>thanks for your explaination. already checked on the MAC as username/password but it cant be done as the AD policy requires special character as the password. </P><P>for the first option, the environment includes the scanner as well. so it seems impossible to generate cert.</P> Tue, 16 Apr 2024 08:19:44 GMT https://community.cisco.com/t5/wireless/meraki-wireless-dot1x-mac-address/m-p/5466238#M291054 ShahrulEzwvn 2024-04-16T08:19:44Z https://community.cisco.com/t5/wireless/meraki-wireless-dot1x-mac-address/m-p/5466239#M291055 <P>If you go down this path you need to limit yourself to buying hardware that meets your security posture. There are plenty of scanners and printers out there that support EAP-TLS.</P><P>You could also consider not enabling 802.1x on that port and simply using a sticky MAC address. You can search for the feature on this page:<BR /><A href="https://documentation.meraki.com/MS/Port_and_VLAN_Configuration/Switch_Ports" target="_self" rel="nofollow noopener noreferrer">https://documentation.meraki.com/MS/Port_and_VLAN_Configuration/Switch_Ports</A> </P> Tue, 16 Apr 2024 08:27:21 GMT https://community.cisco.com/t5/wireless/meraki-wireless-dot1x-mac-address/m-p/5466239#M291055 Philip D'Ath 2024-04-16T08:27:21Z https://community.cisco.com/t5/wireless/meraki-wireless-dot1x-mac-address/m-p/5466240#M291056 <P>I see. Is it possible to bind the user with mac address on the AD side?</P><P>Or could we Whitelist all the mac addresses and deny the rest. Could we achieve this using the meraki wireless? </P> Tue, 16 Apr 2024 09:53:26 GMT https://community.cisco.com/t5/wireless/meraki-wireless-dot1x-mac-address/m-p/5466240#M291056 ShahrulEzwvn 2024-04-16T09:53:26Z https://community.cisco.com/t5/wireless/meraki-wireless-dot1x-mac-address/m-p/5466241#M291057 <P>No with Microsoft NPS. To be able to do something like this you need to use an authentication protocol called TEAP, and Microsoft NPS does not support this.</P><P>But no one does this. Everyone uses certificate-based authentication instead that needs this kind of security.</P> Tue, 16 Apr 2024 18:39:29 GMT https://community.cisco.com/t5/wireless/meraki-wireless-dot1x-mac-address/m-p/5466241#M291057 Philip D'Ath 2024-04-16T18:39:29Z https://community.cisco.com/t5/wireless/meraki-wireless-dot1x-mac-address/m-p/5466242#M291058 <P>Noted. Any documentation on the meraki setup with the dot1x with certificate-based? </P> Wed, 17 Apr 2024 09:27:49 GMT https://community.cisco.com/t5/wireless/meraki-wireless-dot1x-mac-address/m-p/5466242#M291058 ShahrulEzwvn 2024-04-17T09:27:49Z https://community.cisco.com/t5/wireless/meraki-wireless-dot1x-mac-address/m-p/5466243#M291059 <P>Not that I am aware of, and it is quite a project. You might want to consider getting someone in to help you with this.</P> Wed, 17 Apr 2024 19:08:24 GMT https://community.cisco.com/t5/wireless/meraki-wireless-dot1x-mac-address/m-p/5466243#M291059 Philip D'Ath 2024-04-17T19:08:24Z