Cisco Meraki Wifi + RADIUS

Hi All,

I’m currently using Cisco Meraki APs with Windows NPS (RADIUS) authenticating against on-prem AD for our main corporate Wi-Fi SSID. Devices are largely Intune-managed, identity is Entra ID, and I’m actively trying to reduce or eliminate on-prem dependencies where it makes architectural sense.

One of the drivers for this change is user behaviour around Wi-Fi. We also have a guest SSID, correctly isolated from internal resources, but some users with managed corporate devices still choose to connect to it (usually for convenience or because it’s remembered). At which point they lose access to some on-prem systems that aren't ready for SaaS deployment.

What I’d like to move towards is a cloud-native Wi-Fi authentication model aligned with Entra ID, ideally removing the need for local NPS and on-prem AD altogether, while also ensuring managed devices naturally prefer (or are limited to) the corporate SSID.

My assumptions / questions:

I understand that 802.1X Wi-Fi still fundamentally requires RADIUS, but I’m open to cloud RADIUS services that integrate directly with Entra ID.
I’m not wedded to username/password auth and am actively considering certificate-based EAP-TLS, with certs issued via Intune and tied to Entra device identity/compliance.
My expectation is that this would largely eliminate corporate devices using guest Wi-Fi, without needing to artificially cripple the guest network.
I’ve noticed Meraki logs device names and signed-in users, but I assume this is post-connect visibility, not a replacement for actual authentication/authorisation at the Wi-Fi layer.

What I’m trying to validate from others’ experience:

Is cloud RADIUS + Entra ID + Intune-issued certs the current best-practice path with Meraki when removing on-prem AD/NPS?
Are there any real-world alternatives that avoid RADIUS entirely for Meraki Wi-Fi (I suspect not, but happy to be proven wrong)?
Any gotchas with Meraki + EAP-TLS + Entra-managed certs at scale?

End goal:
No on-prem servers purely to keep Wi-Fi working, strong device-based trust, and behaviourally eliminating the incentive for managed devices to sit on guest Wi-Fi.

Thanks,

Tim

Find more posts tagged with

Azure

Cloud migration

Entra

Cisco

Sign in to participate and unlock exclusive content 🔓

It looks like you're new here! Sign in or register to be able to comment, access member-only content and follow the spaces relevant to you.

Comments

Tristan Watkins

Hi @timjeens I think you've precisely articulated our rationale for creating our Managed Network Authentication and Cloud PKI services, which works with SecureW2 for cloud RADIUS and PKI, Intune for SCEP and network profiles, and Entra ID for portal authentication. Meraki are one of the most common targets for these deployments. Guest Access gets messier, but SecureW2 only gives you more options there. Most organisations will stay with the Meraki guest access options though, unless they are willing to take on more complex sponsorship or MAC-based models (from memory - this hasn't been popular). In any case, SecureW2 is the perfect missing piece for removing the office server room dependencies like NPS, AD CS and AD DS.

timjeens

Hi Tristan,

Ok Thanks, I've reached out to SecureW2 to see their offering.

The Guest wifi is just a password, and we publish it around the offices, and tell the staff to use it for their phones..
So, any way with Meraki to reject the laptops, without affecting the proper networks?

Thanks,

Tim

Tristan Watkins

If you're using certs it's all passive. It's unlikely anyone would ever choose to connect to it. Shy of proactively managing all connections (gets much messier), you could do some one-off deletion of the guest network on managed devices, but it may be useful to have it as a fallback. Let us know if we can help. We can deliver the onboarding or help with on-going management through the service I mentioned earlier. We can simply help with the resale as well, if your resourcing is normally internal.

timjeens

Yea I'm not going to go with SecureW1 its too expensive. I am considering EXRadius though as its cheaper.

Any Thoughts?

Tristan Watkins

Sorry Tim, I missed that. No experience with alternatives. When we did the due diligence on SecureW2 it was the clear winner. Some alternatives came up with some novel approaches to PKI that were pretty worrying, given that they had no other precedent in the industry. SecureW2 costs relative to AD CS TCO is low, and it's much more elegant.