topic Re: Azure AD authentication on Meraki WiFi in Wireless

Azure AD authentication on Meraki WiFi

kevinkarnebeek — Tue, 18 Jun 2019 08:18:01 GMT

Hi guys,

We are working on moving away from our on-premises AD to Azure AD. Part of our current infrastructure is using RADIUS authentication on our WiFi network, linked to our AD.

Seeing as using Azure AD directly isn't an option yet for Meraki, have you guys come up with any solutions for this?

I've been reading some posts about using a splash page to authenticate against Azure AD, but nothing specific or with a detailed configuration guide.

We don't want to spin up a VM in Azure just for this. I'm guessing we are not only ones facing this issue?

Re: Azure AD authentication on Meraki WiFi

rohitraj — Wed, 19 Jun 2019 15:47:23 GMT

Hello @kevinkarnebeek ,

At the moment, Meraki does not have a direct integration with Azure AD. However, since Azure AD is cloud-based, you would need to set up some kind of VPN set up anyway (until a direct VPN with Azure can be established).

I would recommend checking up on the vMX feature of Meraki. Following KB gives you some details on the setup

https://documentation.meraki.com/MX/Installation_Guides/vMX100_Setup_Guide_for_Microsoft_Azure

Re: Azure AD authentication on Meraki WiFi

KJ12 — Sat, 26 Oct 2019 18:04:22 GMT

Hello @rohitraj I hope you're doing well. Is there any positive updates regarding the Azure AD authentication on Meraki WiFi?

Re: Azure AD authentication on Meraki WiFi

nicholas1101 — Thu, 06 Feb 2020 23:16:59 GMT

We too are looking for this since we are moving our devices to Azure AD only.

Re: Azure AD authentication on Meraki WiFi

jonas@complit.be — Sun, 09 Feb 2020 08:18:49 GMT

I would not recommend using a splash portal (open ssid) for corporate users. We are looking into a solution with ipsk and Azure. I'll keep you up to date.

Re: Azure AD authentication on Meraki WiFi

sebastianvandijk — Mon, 10 Feb 2020 09:09:56 GMT

following, we have the same question. We do not want separate vm's or servers, just Azure AD authentication on our Meraki equipment.

Re: Azure AD authentication on Meraki WiFi

Arne Bier — Thu, 13 Feb 2020 22:17:14 GMT

This question gets asked a lot on the Cisco ISE Community pages too. The challenge is that Azure AD is not the same as Active Directory (obviously) and the interfaces into Azure AD don't lend themselves to every use case. ISE for example, offers SAML interface to *some* parts of ISE (like Sponsor Portal Login page, or MyDevices Portal page) - but you cannot use Azure AD for things like EAP-PEAP authentication. Why? Because ISE has no native integration for such an external identity source. The closest you can get to that (with ISE) is to use Secure LDAP. But that breaks the password challenge algorithms (MS-CHAPv2) that is commonly used in EAP-PEAP - it cannot work. But the sLDAP integration could be used for non Authentication purposes - e.g. checking for AD Group membership during an EAP-TLS (cert based) authentication.

This is a challenge for every vendor and I have yet to come across a AAA vendor who has solved this problem. Be careful when reading that a product "integrates with Azure AD" - it's often very specific use cases only.

The solution to all this is probably a new protocol that runs over TLS (https) directly into public cloud providers. You might want to look at JumpCloud.com to see what they are currently up to.

Re: Azure AD authentication on Meraki WiFi

martyn.rees — Fri, 14 Feb 2020 05:07:12 GMT

You can use FreeRADIUS to do PEAP auth of users against Azure AD.

Re: Azure AD authentication on Meraki WiFi

Arne Bier — Sat, 15 Feb 2020 03:05:21 GMT

@martyn.rees - that's good to know. Do you have actual experience with this? I'd like to learn how this is done. Please post some more information - I have some identities in Azure and a small lab to test with. I am not too familiar with Free Radius - if you have some kind of base config, that would be handy. 🤔

Re: Azure AD authentication on Meraki WiFi

martyn.rees — Sun, 16 Feb 2020 21:48:21 GMT

Have it running in production, though it was a while ago that I set it up, and I stupidly didn't even document it for future self. When I get some time I'll see if I can cobble together some steps

Re: Azure AD authentication on Meraki WiFi

gsn — Thu, 30 Apr 2020 21:38:23 GMT

Now that the Azure AD DS is out, has someone ventured to setup this with Azure AD DS?

Re: Azure AD authentication on Meraki WiFi

Arne Bier — Thu, 30 Apr 2020 22:55:27 GMT

Azure AD DS has been available for some time. The issue that everyone is having is how to tell our glorious RADIUS servers how to use Azure AD DS. Whether FreeRADIUS, Cisco ISE or Clearpass - they all have the same issue.

I was on an ISE update session the other day and it was mentioned that ISE has support for SAML integration with Azure AD DS. Of course this only helps us for https (portal based) services, but not at all for EAP-PEAP, etc. - without divulging too much on the ISE roadmap, I believe there may be some work under way to utilise this SAML mechanism for other authentication means.

Re: Azure AD authentication on Meraki WiFi

George D — Fri, 14 Aug 2020 02:08:49 GMT

@rohitraj azure offers the idea of conditional access based on a compliant device. i'm hoping that Meraki will build in a compliant device check via intune nac.

https://docs.microsoft.com/en-us/mem/intune/protect/network-access-control-integrate

and leverage an oauth token to connect to intune

https://docs.citrix.com/en-us/netscaler-gateway/12/microsoft-intune-integration/configuring-network-access-control-device-check-for-netscaler-gateway-virtual-server-for-single-factor-authentication-deployment.html

Re: Azure AD authentication on Meraki WiFi

Tadpole86 — Thu, 20 Aug 2020 21:25:07 GMT

Most of the Cloud Identity providers are just providing simple Username/Password and maybe MFA and masquerading that as full identity management solution. With ZeroTrust, those solutions are missing key components like End-Point posture assessment. O365 offers Intune, but it’s very limited with Macs and has limited end-point capabilities. There are a number of 3rd party offers as well, but now you are operating multiple security policies.

We also have lots of clients moving to cloud, but most realize that moving AD is the last thing they want moved. It’s the security ‘Crown Jewels’ and loosing control of that to a cloud provider should be considered as a major potential issue.

Providing 802.1x for NAC from the cloud has many other issues, mostly manifesting with users not getting basic local lan access. 1x can be very chatty in a dynamic environment and any delay above 100ms will cause timeouts resulting with either default guest access for privileged users at best, or no access at all at worst. Both options are sub-optimal.

This is a classic ‘Just because you can, doesn’t mean you should’

Buyer beware. Just saving $$ should not be the primary driver when it comes to moving identity completely to the cloud.

Okta, ping, and the rest of the cloud IAM are nothing more than just a unified SSO middleman, with a pretty front end. Execs love it, cause it looks good, but many IT organizations are realizing that they are losing all control of the end-point, and with ZeroTrust, the endpoint is just as important in deciding the correct access policy.

Some interesting points of view

https://www.reddit.com/r/networking/comments/dj49s7/cloud_only_identity_providers_getting_rid_of_all/

Re: Azure AD authentication on Meraki WiFi

jpcaid — Wed, 07 Oct 2020 14:54:43 GMT

Hi @kevinkarnebeek

Did you find a solation to this?

We are looking to do the same

Thanks

Re: Azure AD authentication on Meraki WiFi

gsn — Wed, 07 Oct 2020 15:35:26 GMT

Hello, did you have a chance to look into the config ? thanks

Re: Azure AD authentication on Meraki WiFi

jpcaid — Thu, 08 Oct 2020 10:26:49 GMT

Hi @gsn

We dont have any networking setup in azure.

ideally would like to use something that doesn't involve doing adding more complexity

Re: Azure AD authentication on Meraki WiFi

GoVanguard — Tue, 26 Jan 2021 21:32:07 GMT

Meraki has implemented WPA2-Enterprise auth with GSuite/Google, why not implement the exact same integration for AzureAD?

Configuring WPA2-Enterprise with Google Auth - Cisco Meraki

Re: Azure AD authentication on Meraki WiFi

George D — Tue, 26 Jan 2021 22:16:33 GMT

i've been waiting for integration that leverages intune device compliance checks

Re: Azure AD authentication on Meraki WiFi

danderson2 — Thu, 28 Jan 2021 16:45:19 GMT

Meraki has SSO SAML integration with Azure for dashboard access. Its has splash page sign in with 'out of the box' support for google and facebook. But somehow, even with a UI that supports potentially endless idp's, MS is not there. There are no legitimate support docs to build your own splash page.

There is no logical reason to exclude MS as an idp for wifi sign in. The question has been posted since 2017. There is no technical reason. The conspiracist in me thinks meraki hates MS ?, google is paying meraki to exclude it? the original developer of the meraki authentication lost the source code? There has to be hundreds of thousands of potential meraki customers that would benefit from this. It make no sense.