Buy or Renew
Buy or Renew
NEW: Try the Beta AI Summary feature on posts in the Routing and SD-WAN forum. Click to go to the forum.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8724
Views
2
Helpful
10
Replies

Using RADIUS to authenticate both users and computers

KKC
Community Member

‎02-06-2023 10:20 AM

Hi,

We have a couple of MR42's and I want to see if this scenario can be archived using RADIUS. Here are the requirements:

  • We want to use RADIUS to authenticate users against our Active Directory
  • Only the company provided-devices are allowed to connect to the WiFi network

If it is not doable with RADIUS, any alternative?

Thanks,

KK

Labels:
0 Helpful
10 Replies 10

aleabrahao
Meraki Community All-Star
Meraki Community All-Star

‎02-06-2023 10:32 AM

Is the Meraki System Manager an option?

https://documentation.meraki.com/SM/Systems_Manager_Quick-Start

You can use Radius Mac filtering, but in my opinion, it's not a good option because you need to change your password policy, to an option with less security.

https://documentation.meraki.com/MS/Access_Control/Configuring_Microsoft_NPS_for_MAC-Based_RADIUS_-_MS_Switches

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Helpful

Philip D'Ath
Meraki Community All-Star
Meraki Community All-Star

‎02-06-2023 11:39 AM

This is possible, although it just became more complicated with Windows 11 22H2 when Microsoft (but surprise) disabled one of the most used protocols for doing it.

You'll need to use the Microsoft Certificate server (built into Windows), and deploy a certificate onto every device (for Windows machines you can do this via group policy automatically).

You'll use WPA2-Enterprise mode on the WiFi side, and I would use EAP-TLS as the authentication protocol. You'll use Network Policy Server (NPS) on Windows to achieve this.

Meraki had a guide for doing this using the much simpler MSCHAPv2. If you don't have Windows 11 machines in your environment, you can start with using this approach, and then add on certificates at a later point in time.

https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_RADIUS_Authentication_with_WPA2-Enterprise

Otherwise - if you haven't done this before don't have certificate services already deployed - get someone in to help you. It is massively more complicated now.

0 Helpful

aleabrahao
Meraki Community All-Star
Meraki Community All-Star
In response to Philip D'Ath

‎02-06-2023 11:49 AM

Oh god how did i forget 802.1x authentication with certificate. 🤓

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

KKC
Community Member
In response to Philip D'Ath

‎02-06-2023 01:10 PM

I'll check this out. I forgot about 802.1x too!

We have only Windows 10 so it's very doable at the moment.

0 Helpful

Karsten Iwen
VIP
VIP

‎02-06-2023 12:59 PM

The already suggested EAP-TLS is sadly not enough to solve this as the machine- and user authentication is decoupled. There are some workarounds but the only real way is to use TEAP (or the previous version EAP-FAST) as the EAP method because here we can do EAP-Chaining which couples the user-authentication to the already done machine-authentication.

--
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Helpful

KKC
Community Member
In response to Karsten Iwen

‎02-06-2023 01:08 PM

Any detail and configuration examples about this approach?

0 Helpful

Karsten Iwen
VIP
VIP
In response to KKC

‎02-06-2023 02:17 PM

Not sure if NPS supports it. This is for Cisco ISE, perhaps you can adopt it:

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216510-eap-chaining-with-teap.html

--
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Helpful

Philip D'Ath
Meraki Community All-Star
Meraki Community All-Star
In response to Karsten Iwen

‎02-06-2023 03:26 PM

NPS definitely does not support TEAP.

0 Helpful

Philip D'Ath
Meraki Community All-Star
Meraki Community All-Star
In response to Karsten Iwen

‎02-06-2023 03:27 PM

I think EAP-TLS will be sufficient if he relaxes the conditions slightly and just does machine-based certificate authentication.

He can then at least verify that only authorised machines are attached to the network.

0 Helpful

Karsten Iwen
VIP
VIP
In response to Philip D'Ath

‎02-06-2023 10:48 PM

In this case he only knows this for his own machines. But unless *all* devices support EAP-TLS (I haven't seen this on any network) he can't make sure that the user connects with domain-credentials from his personal PC.

But I am completely with you that relaxing the requirements is the right way. Really achieving *this* goal is one of the hardest in the .1X implementation.

--
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card