03-20-2018 02:44 AM
Hello I am hoping that someone may be able to help me understand if an idea is possible with 802.1x authentication via a single SSID.
My aim: to 802.1x authenticate corporate machines/users via a certificate so they are not required to enter details when using a corporate issued device (laptop/smartphone etc…), but if the device is not a corporate they are use our current off site RADIUS server solution to authenticate via 802.1x username & password.
First of all is this possible? So if a certificate is available on the device, if will authenticate locally and a policy set to allow native LAN as per wired clients, and if there is no certificate, they will be forwarded onto our 3rd party hosted RADIUS server with user entered credentials and user the Meraki “VPN: tunnel data to a concentrator” back to our MX in our DMZ so guests can still have internet access, while being isolated from our corporate data.
We want to continue to use our 3rd party RADIUS server as this is shared service with other partner company’s etc…
Secondly how would be go about this?
Solved! Go to Solution.
03-20-2018 05:26 AM
Yes, this is possible.
The client configuration (supplicant) determines the authentication type attempted (and accepted). The corporate machines will have a certificate and be configured (manually or via Group Policy) to use the certificate for authentication via EAP-TLS.
Non-corporate devices will need to auto-detect (which some clients do well like iOS) or be manually configured to use a username and password EAP type (such as PEAP).
The ISE authentication policy can check the EAP authentication type in the request and if it is EAP-TLS use certificate based authentication. If the authentication request is PEAP ISE can proxy the authentication off to the other RADIUS server.
I have implemented something just like this, however, I would still set this up to test your use cases and the client experience and ensure RADIUS interoperability to make sure it does exactly what you want.
03-20-2018 05:26 AM
Yes, this is possible.
The client configuration (supplicant) determines the authentication type attempted (and accepted). The corporate machines will have a certificate and be configured (manually or via Group Policy) to use the certificate for authentication via EAP-TLS.
Non-corporate devices will need to auto-detect (which some clients do well like iOS) or be manually configured to use a username and password EAP type (such as PEAP).
The ISE authentication policy can check the EAP authentication type in the request and if it is EAP-TLS use certificate based authentication. If the authentication request is PEAP ISE can proxy the authentication off to the other RADIUS server.
I have implemented something just like this, however, I would still set this up to test your use cases and the client experience and ensure RADIUS interoperability to make sure it does exactly what you want.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide