Configure 802.1x certificate based authentication on Meraki wireless access points with Microsoft NPS authentication

Problem:
I wanted to enable full network access to company users via the existing Cisco Meraki wireless access points. The problem is that these traditionally have only been used for guest Wi-Fi access and I need to be 100% certain that it will be secure.

Solution:
The solution I decided to use was to leverage our existing PKI (certificate authority) and Network Policy Server. This means that users could only connect to the corporate Wi-Fi if they were a) Using a domain joined machine and b) Had a company issued certificate from our certificate authority

For the purposes of this exercise we will assume the following work as already been done:

1. You have installed the Certificate Authority role and configured it
2. You have installed the Network Policy Server role
3. You have existing Meraki wireless access points and a login to the Meraki system

First we need to configure your NPS server.  Once you have installed the NPS server role open the NPS console and right click on RADIUS clients and click New.

Enter the friendly name of the device as the DNS name of the Meraki wireless access point.  As I have multiple WAPs and I want to enable NPS authentication for all of them I add AP- at the front of the DNS name.  This wildcard enables me to configure the Network Access Policy later on for all units.

Then enter the static IP address that you have assigned to your Meraki WAP.

Then enter a Shared secret, you should make this long and complex as it is the trust between your NPS server and the Meraki WAPs.

We now need to create a Connection Request Policy.  Right click on Connection Request Policies and click New.  Give the policy a suitable name and click Next.

We now need to specify a condition, click Add and select NAS Port Type.

Check the boxes next to Wireless – IEEE 802.11 and Wireless – Other

Then click Next, Next, Next and Finish.

We now need to specify a Network Policy so right click on Network Policies and click New, give the policy a suitable name and click Next.

We now need to specify the conditions under which machines are allowed to connect to the network.  Click Add>Select Windows Groups>Click Add Groups>Type Domain Computers>Click Check Names>Click Ok>Click Ok and then click Add again.

Now select Client Friendly Name from the list and enter AP-? (or whatever you used for your wildcard).  This now means that this network policy will apply to any radius clients starting with AP-

When ready click Ok then Next

Select Access granted and click Next

Deselect MS-CHAP v1 (as it is insecure) and then click Add

As we are using individual certificates issued to client machines (into the personal computer certificate store) we need to select Microsoft: Smart Card or other certificate and click Ok.  Then click Edit and select the CA certificate you want to use to authenticate your clients.

Then click Next, Next, Next and Finish.

Now login to your Meraki console and go to Wireless>Access control

Under Network Access choose WPA2-Enterprise with and change the drop down to my RADIUS server.  Make sure that the WPA encryption mode is set to WPA2 only.

Change the RADIUS server host to the IP address of your NPS server, enter the port as 1812 and enter the Shared Secret that you entered earlier when configuring NPS.  Don’t bother to click test and enter domain credentials, this will fail as we are using EAP certificate based authentication.

Configure any other necessary settings such as the VLAN ID and then click save.  Your wireless clients that have been issued certificates from your CA will now be able to connect to the Meraki access points using 802.1x authentication.
If you want to learn how to deploy your wireless network using Group Policy click here.

I just wanted to add an additional note to say that simply using open 802.1x authentication is likely to limit your transfer speeds.  I had to select WPA2 with AES and then select key authentication as 802.1x.

Leave a Reply

Your email address will not be published. Required fields are marked *