Solved: Meraki RADIUS with Microsoft NPS user IP in domain controller logs

tato386 · ‎02-01-2025

We are currently using ISE-PIC and WMI integration with Windows AD for user/IP mapping and it works fairly well with domain joined wired desktops. We now want users to use their domain creds with wireless devices and will implement Microsoft NPS for this. The NPS will authenticate users connecting to Meraki APs using RADIUS. My question is: What IP will be logged on the Windows domain controller log when this happens? Ideally the users' endpoint device IP will be logged and the ISE-PIC will map IP correctly. But I am not sure how this process works and if the Meraki AP IP or worse, NPS IP show in DC logs my plan will not work. Any ideas?

TIA,
Diego

Aref Alsouqi · ‎02-06-2025

Thanks for the clarification. Then yes it should work with no problems at all because as we said, from ISE-PIC perspective it will still rely on the AD security logs and feed the FMC via pxGrid without caring about if that user connected via wired or wireless neither via NPS or other methods.

View solution in original post

ahollifield · ‎02-04-2025

What is the use-case for ISE-PIC? Also no one should be deploying username/password auth in 2025 for network auth. MS-CHAPv2 relies on broken RC4 encryption. Microsoft has blocked PEAP/MS-CHAPv2 by default in recent Windows versions because of this. You should use certificates with EAP-TLS or TEAP instead.

tato386 · ‎02-04-2025

@ahollifield you make good points but at this time our focus is eliminating PSK for wireless BYOD devices and getting PKI certs on those devices is not feasible at this time.

ahollifield · ‎02-05-2025

Why not? What is the use-case for giving unknown/unmanaged endpoints access to the protected network?

Aref Alsouqi · ‎02-05-2025

Is ISE integrated with a device that relies on ISE-PIC user-IP-mapping? if not, as @ahollifield mentioned, what's the use case of ISE-PIC?

ISE-PIC reads the AD security logs and parse the information from there, it doesn't care about how a user was logged into the AD, it just reads the logs and parse the contexts from there. The details in the security logs would be belonging to the users, not to the APs.

Aref Alsouqi · ‎02-05-2025

I also forgot to mention that depending on what version of Windows server you have integrated with ISE, you might need to move away from WMI and use Passive ID agent due to the Microsoft patch KB5014692 that could break WMI:

Configure EVT-Based Identity Services Engine Passive ID Agent - Cisco

KB5004442—Manage changes for Windows DCOM Server Security Feature Bypass (CVE-2021-26414) - Microsoft Support

tato386 · ‎02-05-2025

@Aref Alsouqi we currently have 8 fully patched Windows DCs and WMI from ISE-PIC is working well so luckily, we are not affected by KB5004442 and hopefully it will stay this way. The ISE-PIC is linked to an FMC, and we use user-IP mapping to match FMC rules and control access to web categories and apps.

We would now like to extend our existing web filter and access policies to employee BYOD devices and thus the integration with NPS. Of course, this will only work if the endpoint device IP is logged in the DCs login event log for the ISE user-IP mapping to correctly match FMC rules.

Aref Alsouqi · ‎02-06-2025

Thanks for the clarification. Then yes it should work with no problems at all because as we said, from ISE-PIC perspective it will still rely on the AD security logs and feed the FMC via pxGrid without caring about if that user connected via wired or wireless neither via NPS or other methods.

tato386 · ‎02-06-2025

excellent. thanks for the clarification