Created a certificate:
https://www.youtube.com/watch?v=ls9CW6jl6Q0
mmc.exe
File>Add Remove Snap in
Certificates
Local computer
Expand Certificates
Personal
Right click Certificates
All tasks, Request New Certificate
Next Next
Select Domain Controller
Add Network Policy and Access services
Server 2012:
Server Manager
Add Roles and Features
Role based
Network Policy and Access Services
Next
Select Network Policy Server and Host Credential Authorization Protocol
Next next next next until its done.
Register NPS with AD:
Open NPS
Right click NPS(local)
Register server in Active Directory
Add RADIUS Client:
Open NPS
Right Click RADIUS Clients>New
Add Friendly name and IP of Meraki WiFi
Create Secret
Ok
Create NPS Policy
https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_RADIUS_Authentication_with_WPA2-Enterprise
Select NPS(Local), so you see the Getting Started pane.
Select RADIUS server for 802.1X Wireless or Wired Connections in the Standard Configuration drop down.
Click Configure 802.1X to begin the Configure 802.1x Wizard.
When the Select 802.1X Connections Type window appears select the radio button Secure Wireless Connections and type a Name: for your policy or use the default. Click Next.
Verify the APs you added as RADIUS clients on the Specify 802.1X switches window. Click Next.
For Configure an Authentication Method select Microsoft: Protected EAP (PEAP).
Click Configure to review the Edit Protected EAP Properties. The server certificate should be in the Certificate issued drop down. Make sure Enable Fast Reconnect is checked and EAP type is Secure password (EAP-MSCHAPv2). Click OK. Click Next.
When the Specify User Groups window appears click Add.
Type or find the Domain Users group. This group should be located in the same domain as your RADIUS server.
When the group is added click OK. Click Next.
Click Next on Configure a Virtual LAN (VLAN) window.
When then Completing New IEEE 802.1X Secure Wired and Wireless Connections and RADIUS clients appears click Finish.
Change the Policy Process Order
Navigate to Policies>Connection Request Policies. Right click the wireless policy and Move Up so it is process first.
Navigate to Policies>Network Policies. Right click the wireless policy and Move Up so it is process first.
Disable Auto Remediation
Navigate to Policies>Network Policies. Right click the wireless policy and select Properties.
On the Setting tab for the policy uncheck the box Enable auto-remediation of client computers and click OK.
(This is located under NAP Enforcement.)
On to the Meraki
Hover over Wireless, select SSIDs
Create or Select an existing SSID and Edit Settings
Association Requirements:
WPA2-Enterprise with my Radius Server
Splash Page:
(I left this as None for corporate users)
RADIUS Servers:
Add IP of server, port 1812, add secret and test.
Addressing and traffic
I left these in Bridge mode: Make clients part of LAN.
I have one site with multiple Meraki APs, I will test Layer 3 roaming there.
Later on I might find out this is riddled with security holes, but for now it works for users to use AD creds and access network resources while on WiFi.
