https://community.cisco.com/t5/wireless/machine-auth-on-ssid/m-p/5490443#M298403 <P>Looking to only allow domain joined machines on a SSID. Was looking at radius auth but that seems to only check mac address or user accounts despite this statement in the config doc:</P><P>"Type or find the<SPAN> </SPAN><STRONG>Domain Users</STRONG><SPAN> </SPAN>group. This group should be located in the same domain as your RADIUS server.<BR /><STRONG><EM>Note: </EM></STRONG><EM>If RADIUS is being used for Machine Authentication, find the <STRONG>Domain Computers</STRONG> group instead." </EM></P><P>Can this be done using a computer group? If not, what is the best option to verify the computer and minimize complexity to the users? we have about 1500 devices, so creating a mac account for each machine would be a bit cumbersome to maintain.</P><P>Thanks for any suggestions.</P><P>Using NPS for RADIUS.</P><P><!-- StartFragment --><!-- EndFragment --></P> Fri, 11 Oct 2024 16:11:22 GMT TheMightyGaur 2024-10-11T16:11:22Z https://community.cisco.com/t5/wireless/machine-auth-on-ssid/m-p/5490443#M298403 <P>Looking to only allow domain joined machines on a SSID. Was looking at radius auth but that seems to only check mac address or user accounts despite this statement in the config doc:</P><P>"Type or find the<SPAN> </SPAN><STRONG>Domain Users</STRONG><SPAN> </SPAN>group. This group should be located in the same domain as your RADIUS server.<BR /><STRONG><EM>Note: </EM></STRONG><EM>If RADIUS is being used for Machine Authentication, find the <STRONG>Domain Computers</STRONG> group instead." </EM></P><P>Can this be done using a computer group? If not, what is the best option to verify the computer and minimize complexity to the users? we have about 1500 devices, so creating a mac account for each machine would be a bit cumbersome to maintain.</P><P>Thanks for any suggestions.</P><P>Using NPS for RADIUS.</P><P><!-- StartFragment --><!-- EndFragment --></P> Fri, 11 Oct 2024 16:11:22 GMT https://community.cisco.com/t5/wireless/machine-auth-on-ssid/m-p/5490443#M298403 TheMightyGaur 2024-10-11T16:11:22Z https://community.cisco.com/t5/wireless/machine-auth-on-ssid/m-p/5490444#M298404 <P>Using X.509 certs (either user or machine) for Enterprise-802.1x is supported by Meraki APs using NPS as RADIUS <A href="https://documentation.meraki.com/MR/Encryption_and_Authentication/RADIUS%3A_WPA2-Enterprise_With_EAP-TLS" target="_blank" rel="nofollow noopener noreferrer">https://documentation.meraki.com/MR/Encryption_and_Authentication/RADIUS%3A_WPA2-Enterprise_With_EAP-TLS</A></P> Fri, 11 Oct 2024 16:15:38 GMT https://community.cisco.com/t5/wireless/machine-auth-on-ssid/m-p/5490444#M298404 GreenMan 2024-10-11T16:15:38Z https://community.cisco.com/t5/wireless/machine-auth-on-ssid/m-p/5490445#M298405 <P>You need your NPS access rule to match a specific AD group. In this case that would be the domain computers group. And only if that condition is met you can send the access-accept.<BR /><BR />Usually when you create a network policy on NPS you need to put in following conditions:<BR />nas-port-type = 802.11 wireless<BR />called station id contiains SSIDname<BR />domain computer = the machine group containing your windows machines.<BR /><BR />And make sure this rule is above the default rules.</P> Fri, 11 Oct 2024 18:32:22 GMT https://community.cisco.com/t5/wireless/machine-auth-on-ssid/m-p/5490445#M298405 joey.debra 2024-10-11T18:32:22Z https://community.cisco.com/t5/wireless/machine-auth-on-ssid/m-p/5490446#M298406 <P>You will also need to create a group policy to configure your macihnes to only perform machine auth.</P> Sun, 13 Oct 2024 19:36:26 GMT https://community.cisco.com/t5/wireless/machine-auth-on-ssid/m-p/5490446#M298406 Philip D'Ath 2024-10-13T19:36:26Z https://community.cisco.com/t5/wireless/machine-auth-on-ssid/m-p/5490447#M298407 <P>Thanks for your reply. I have chosen a different route, but I appreciate your reply</P> Mon, 21 Oct 2024 15:28:15 GMT https://community.cisco.com/t5/wireless/machine-auth-on-ssid/m-p/5490447#M298407 TheMightyGaur 2024-10-21T15:28:15Z