[Bugs] : Systems Manager Sentry Wi-Fi security Profile deployed on Mac

aws_architect
Building a reputation

[Bugs] : Systems Manager Sentry Wi-Fi security Profile deployed on Mac

802.1X with Meraki certificate deployed by EMM

 

 

Hello,

 

 

- Meraki WiFi profile containing SSID and Certificate for an old deleted Network SSID is still pushed on all devices enrolled in EMM.

We are supposed to have only one the network of the second one has been deleted but profile still pushed to macs.

 

- SCEP Wifi Certificate is 2 times in the profile and push 2 times to the Macs ? Why ?

 

- As soon as you click on Reinstall on Meraki WiFi - Profile section it will regenerate a new certificate and WILL NOT delete old ones.

If I click 6 times, I will have 6 certificates on the Mac keychain 

Does it means that If I exclude a computer from Sentry Wi-Fi security with a tag for exemple, he will still have access to it with "Old Certificates being present on the Keychain ?"  even without profile the enduser can choose a network and a certificate manualy for a 802.1x SSID

 

- Naming of the profil that is pushed is kind of odd.

If you have 20 networks with this kind of Setup, you will have 20 times "Meraki WiFi" profile pushed.

IMO it should include Name of network + SSID or even better to combine all SSID within the same profile !

 

 

 

Mac OsScreen Shot 2018-08-18 at 13.21.45.pngScreen Shot 2018-08-17 at 16.04.20.pngScreen Shot 2018-08-17 at 16.04.14.pngDocumentation : https://documentation.meraki.com/MR/Encryption_and_Authentication/Certificate-based_WiFi_authenticat...

14 REPLIES 14
MRCUR
Kind of a big deal

For your first issue, are you 100% positive this old SSID is not still configured anywhere in your Dashboard org? Typically the old Meraki WiFi profile should be removed when the old SSID is removed or changed to a non-Sentry auth type. 

 

I'd love to hear feedback from the SM team on your other questions as I also see the same (odd) behavior. 

MRCUR | CMNO #12
aws_architect
Building a reputation

I am 200% sure , we tried to reproduce it with support and couldn’t 

 

- when you disable sentry from SSID, profile is removed 

- when you remove the sentry tag from a computer, profile is removed 

- without disabling sentry , deleting network profile is removed as well 

 

I don’t know why with this network (deleted) it’s still pushed and couldn’t reproduce it .

 

What exactly are you seeing as odd behavior ? 

 

Thank you 

 

You raise an interesting point about revoking access to a network.

 

This is how it should work:

  • Certificate gets issued to a user
  • When a user attaches they present the certificate, and the username on the certificate is checked to verify they have access

 

I have never personally validated this.  The intention of a certificate is to prove who you are - like a username and password - and having a certificate (or username/password) alone should not provide authorisation.

ps. A 2048 bit certificate is similar in strength to a user having a 256 character password - except the "password" is generated algorithmically random rather than relying on a human to make and remember it. 

 

In certificate systems I have worked with you don't usually delete old certificates.  You simply revoke the users access to whatever system it is.  In the same way that you don't delete a username just to prevent them from accessing one system.

 

Certificates can be exported.  If you relied on a certificate simply being present for access, then the user could simply export it to a file, and then re-import it whenever they wanted access.  Deleting the "stored" certificate would provide no real measure of security.

 

I didn’t try to export but I hope the certificate are installed with the flag none exportable , meaning that they can’t get export easily.

I will try , good point here.

 

I agree with you regarding the revoking.

 Did you try ? Previous certificate are revoked and can’t get access to the WiFi SSID ?

 

I am wondering even this :

If a valide certificate could be use for another SSID that the user don’t have access to by joining manually the SSID and selecting the certificate (of the other SSID). I kind of doubt it and will give it a try .

3 week passed. nothing has moved.

MRCUR
Kind of a big deal

It sounds like this may be an issue with the specific network/SSID that was removed. Do you have a case open with Support on this? You may need to get SM engineering involved to have it removed. 

MRCUR | CMNO #12
aws_architect
Building a reputation

02905804 for case number. 

 

None of my case have reach engineering team with proper output (Bug fixed.)

So I am not really hopping ...

 

Thank you all for the answers.

MRCUR
Kind of a big deal

Ask the engineer assigned to check with the SM dev team. They have the ability to do this easily so it shouldn't be a problem. 

MRCUR | CMNO #12
aws_architect
Building a reputation

Maybe you are a VIP Customer 😉 

Out of 20 cases none of them got resolved .

 

Will do, thank you

Case 02905804:

 

I Spent 1h showing to support on Friday ( 5 days ago ) . No single update or answer on the case since then.

No one answers anymore and bugs still here .

 

It’s really not acceptable . I have never seen that !

 

Meraki, wake up !

 

 

8 days passed , no news neither from meraki  in the community, neither on support 

Merik
Conversationalist

I've been having this issue as well for a couple months. I've tried contacting support but they haven't been much help. I have two networks with the same SSID with sentry enabled but that led to multiple certificates and our employee's WiFi constantly disconnecting. 

aws_architect
Building a reputation

Since August no move at all

 

This profil is not removable and get push even to all new device without possiblity to block it !

 

Screen Shot 2018-10-31 at 1.44.43 AM.png

 

 

 

As we can see there is no NETWORK assign the link goes to 

 

https://n210.meraki.com/n/undefined/manage

 

and If I click to SSID https://n210.meraki.com/n/undefined/manage/configure/access_control?ssid_number=

 

So Meraki remove this profil ASAP, It is that difficult to resolve this bug ? Do you really need 6 months to do this ?

 

+ I am adding one more :

 

When you click on Profile List / Meraki Wifi, It shows randomly the list of Device in the scope and that on all Profile

 

BR

 

@MerakiDave

Bump , I was hoping some help on this 1 year old case

Thank you
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels