Meraki authentication options with AD joined on-Prem &Azure AD joined machines

HI, Looking for some advice on the best authentication method to use with Meraki for our environment. We are in Hybrid mode with O365 via ADFS, and shortly all mailboxes and data will be migrated to the cloud to allow staff to work from home etc. Users currently have on-prem AD joined laptops and PC's, but going forwards we are replacing up to 150 laptops and the current plan is to Azure AD join them instead of directly to the on-prem domain, and manage with Intune. We installed a new Meraki wireless network and configured a local NPS server as per Meraki instructions "Configuring RADIUS Authentication with WPA2-Enterprise" using Domain/Users Group, and I can connect to the corporate SSID using my AD credentials. However, we would like to lock down access to just corporate machines but the Azure AD joined machines do not show in the on-prem AD so cannot just use the domain/computers group. If we go down the local on-prem CA server certificate route , as I understand it we would have to first add this as a trusted authority on all the Azure joined laptops.  I am leaning towards using a trusted CA authority cert from Go-Daddy - is this the best option for my scenario?

WestyIT Operations ManagerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Why you need certificate?

You could use intune to register devices / laptops to Azure ad and can use conditional access so that only azure registered devices can access cloud resources
Further you can control which devices can be registered with Azure and who can register those devices

I am not sure if you will keep onpremise AD?
If yes, you can use hybrid azure ad join so that device must be joined to Onpremise ad and must be in onpremise network to join azure ad, later on further access can be controlled on conditional access policies
You do need intune and Azure AD premium licenses for any scenario
WestyIT Operations ManagerAuthor Commented:
Hi Mahesh,

I should have added to the question that not everything will be in O365. We will still have some application servers on the local LAN which can also be accessed remotely via Citrix. The idea is if they come in to the office they would auto-connect to the corporate WiFi and be able to access the application servers directly.

atlas_shudderedSr. Network EngineerCommented:
Either option - on prem or hosted would work as long as the auth-server/CA is linked to the authenticating domain.  You differences are going to be cheaper on prem over time but always available via hosted (assuming connectivity to Internet).  

The way oversimplified explanation of what you will be doing is adding an auth cert to the local clients which will be used to connect to the wireless network.  Any client not possessing that cert would be denied access to the wireless network.  Any host connecting would need both the cert and valid user/p-w combination.

Generally this entire process is managed through RADIUS so you will need to be prepared to expand that configuration (if I am reading your original post correctly, it sounds you are already using RADIUS).

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Certificate might be required if you enforced it for wifi connectivity
For that purpose standard client authentication certificate is required
You can generate it from internal CA as well
You do need to add ca root certificate to wifi device / firewall so that it can trust client certificates

Godaddy option is also fine with certificate cost involved

Azure and Intune you don't need cert
WestyIT Operations ManagerAuthor Commented:
Apologies for the late reply, been busy on other stuff. Going to go down the linked CA cert server route using the Intune connector.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Wireless Networking

From novice to tech pro — start learning today.