topic Client Authentication using MAC and AD account in Wireless

Client Authentication using MAC and AD account

ajiang1 — Sun, 21 Jul 2024 09:30:17 GMT

I want to control user devices through their MAC address and AD account when accessing the wireless network. That means, to access the wireless network, the device must have its MAC address registered beforehand and log in with the correct AD account. How can I implement this on a Meraki MR device?

Re: Client Authentication using MAC and AD account

ppurroy — Sun, 21 Jul 2024 09:40:47 GMT

This is really a function of the Radius server that you are using. If the radius server is able to take into account both factors (MAC + AD account) when deciding to provide or deny access then yes.

Windows built-in radius server (NPS) is not able to do that. This can be performed with more advanced radius servers, such as Cisco ISE or others.

If what you are trying to achieve is that employees login onto wireless (AD auth) only with their corporate issued PCs then I would suggest to use Machine Authentication rather than username/password. With Machine Authentication the Radius server verifies with AD if that machine belongs to the domain. Then the user will be validated when they login into the machine. Assuming that this is a Windows environment.

Re: Client Authentication using MAC and AD account

ajiang1 — Sun, 21 Jul 2024 15:12:42 GMT

Thank you, Purroy.

Re: Client Authentication using MAC and AD account

Philip D'Ath — Sun, 21 Jul 2024 21:05:37 GMT

Because Meraki group policies are applied based on Mac address, you could set the default Wireless Firewall rule to deny everything, and then create a group policy called something like "Approved", which overrides the firewall rule and allows access, and apply it to every machine that is approved to access the network.

Re: Client Authentication using MAC and AD account

Evgeniy Volokhovich — Fri, 28 Feb 2025 17:19:33 GMT

thanks