Solved: Machine auth on SSID

TheMightyGaur · ‎10-11-2024

Looking to only allow domain joined machines on a SSID. Was looking at radius auth but that seems to only check mac address or user accounts despite this statement in the config doc:

"Type or find the Domain Users group. This group should be located in the same domain as your RADIUS server.
Note: If RADIUS is being used for Machine Authentication, find the Domain Computers group instead."

Can this be done using a computer group? If not, what is the best option to verify the computer and minimize complexity to the users? we have about 1500 devices, so creating a mac account for each machine would be a bit cumbersome to maintain.

Thanks for any suggestions.

Using NPS for RADIUS.

GreenMan · ‎10-11-2024

Using X.509 certs (either user or machine) for Enterprise-802.1x is supported by Meraki APs using NPS as RADIUS https://documentation.meraki.com/MR/Encryption_and_Authentication/RADIUS%3A_WPA2-Enterprise_With_EAP-TLS

View solution in original post

GreenMan · ‎10-11-2024

Using X.509 certs (either user or machine) for Enterprise-802.1x is supported by Meraki APs using NPS as RADIUS https://documentation.meraki.com/MR/Encryption_and_Authentication/RADIUS%3A_WPA2-Enterprise_With_EAP-TLS

joey.debra · ‎10-11-2024

You need your NPS access rule to match a specific AD group. In this case that would be the domain computers group. And only if that condition is met you can send the access-accept.

Usually when you create a network policy on NPS you need to put in following conditions:
nas-port-type = 802.11 wireless
called station id contiains SSIDname
domain computer = the machine group containing your windows machines.

And make sure this rule is above the default rules.

TheMightyGaur · ‎10-21-2024

Thanks for your reply. I have chosen a different route, but I appreciate your reply

Philip D'Ath · ‎10-13-2024

You will also need to create a group policy to configure your macihnes to only perform machine auth.