Buy or Renew
Buy or Renew
NEW: Try the Beta AI Summary feature on posts in the Routing and SD-WAN forum. Click to go to the forum.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
31050
Views
17
Helpful
28
Replies

iPSK Configuration with Microsoft NPS

j-shearer
Level 3
Level 3

‎11-20-2019 05:32 AM

Greetings.

I see that Meraki MR access points now support iPSK. I also saw a configuration example posted using FreeRADIUS and Cisco ISE but I was wondering if there was anything available for configuring iPSK with Microsoft NPS posted anywhere.

Any information would be greatly appreciated.

Thanks in advance.

Joe

Labels:
28 Replies 28

Nolan H.
Level 11
Level 11

‎11-20-2019 07:48 AM

Take a look at this recent blog here:

https://www.synic.nl/2019/11/11/configuring-meraki-ipsk-with-freeradius/

The documentation Meraki provides for IPSK is at the moment a bit sparse:

https://documentation.meraki.com/MR/Access_Control/IPSK_with_RADIUS_Authentication.

They do provide some information, but it’s rather incomplete and even incorrect at places. The main caveat is that it lacks instructions for Windows NPS support, which is presumably the most used RADIUS server for Meraki 802.1X implementations. The reason for this is that Windows NPS probably lacks the RADIUS attributes or functionality to support IPSK. The instructions do mention Cisco ISE, which is a rarity in the SMB market, and FreeRADIUS, but this is more of a pointer than an instruction. Plus it forgets to mention the most awesomest feature of all: VLAN assignment!

j-shearer
Level 3
Level 3
In response to Nolan H.

‎11-20-2019 08:21 AM

Nolan -

Thank you. The customer currently does implement Microsoft NPS for Windows user/computer authentication using PEAP so I think I'll have to just try iPSK with it and see how it goes.

I believe that since Microsoft NPS integrates directly with AD I may have to generate AD user accounts that reflect the MAC address of the 'PSK-only' devices (older IoT devices) for authentication. As far as I can tell the RADIUS attributes that are needed are options in Microsoft NPS.

Cheers

Joe

Philip D'Ath
Meraki Community All-Star
Meraki Community All-Star
In response to j-shearer

‎11-20-2019 10:27 AM

Microsoft NPS definately can not do iPSK.

You could integrate FreeRADIUS with AD and simply replace NPS.

Kurtis1
Community Member
In response to j-shearer

‎11-26-2019 09:25 PM

Did you have any luck with Microsoft NPS and iPSK setup?

0 Helpful

j-shearer
Level 3
Level 3
In response to Kurtis1

‎11-27-2019 04:08 AM

Kurtis -

I haven't tried it yet. I am waiting to get a 'PSK-only' device in my hands. Hoping to give the config a shot later on this week or sometime next week. I'll gladly post if it's a success of failure.

Cheers

Joe

Kurtis1
Community Member
In response to j-shearer

‎11-27-2019 08:10 AM

That would be great, thank Joe!
0 Helpful

Daniel Jensen
Visitor
In response to j-shearer

‎01-14-2020 04:17 AM

Hi Jie2112

Had you any luck with configuring this with Windows NPS. I can get it to accept the Filter-ID for Group Policy - but I can't get it to accept the PSK. I have used the attribute Tunnel-Password for this.

j-shearer
Level 3
Level 3
In response to Daniel Jensen

‎01-14-2020 04:53 AM

@Daniel Jensen

I ran into the same issue. I was using NPS on Windows 2012 R2. What version of Windows server are you using? I was thinking of trying Windows Server 2019 to see if any updates to NPS features/functions were done.

In the meantime I am waiting for approval to get an MR license or two so I can continue testing (my eval license expired). Really hoping to get this working using NPS since the majority of my customer already deploy it.

Cheers,

Joe

0 Helpful

Daniel Jensen
Visitor
In response to j-shearer

‎01-14-2020 05:37 AM

@j-shearer

I am using Windows Server 2019 - which attributes did you use?

My clients are not accepting my attributes for the PSK.

I have created an account in Acitive Directory (for MAB) and it gets authenticated successfully. But it will not accept the Tunnel-Password as PSK - did you succced on getting the correct attribute to use?

0 Helpful

j-shearer
Level 3
Level 3
In response to Daniel Jensen

‎01-14-2020 06:01 AM

@Daniel Jensen

I am in the same position you are but I was using Windows Server 2012 R2.

I was also able to get MAB to work but the Tunnel-Password attribute would not be accepted by the clients. I was going to try using the Cisco-specific attributes to see if any of those would work.

I was hoping that the version of Windows server I was using was the cause of the issue but if you are using Windows Server 2019 then it's not that.

Cheers,

Joe

0 Helpful

Daniel Jensen
Visitor
In response to j-shearer

‎01-14-2020 06:09 AM

@j-shearer I have also tried with the Cisco-AV-Pair attributes. It didn't work either.

image.png

Here you can see my original attributes setup - where Tunnel-Password is not acceptet.

image.png

0 Helpful

roesch4alc
Level 4
Level 4
In response to Daniel Jensen

‎04-08-2020 07:53 AM

Hi all,
Im struggling with the same iPSK-NPS issue. I can tell you, that it is possible to generate a Radius Accept message, even if you have no AD users (theres a setting for that). But: What I can see, that all the additional attributes are missing in the Access-Accept message. There´s only the t=Class(25) Attribute in it, nothing more.
image.png
Did someone ever managed to get this running? Seems to be like an NPS issue.
0 Helpful

Philip D'Ath
Meraki Community All-Star
Meraki Community All-Star
In response to roesch4alc

‎04-08-2020 01:46 PM

It wont be possible to make this work with NPS.

0 Helpful

roesch4alc
Level 4
Level 4
In response to Philip D'Ath

‎04-09-2020 12:07 AM

Ok, seems to be like that, but why is that? What is the NPS doing different?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card