802.1X with Meraki certificate deployed by EMM
Hello,
- Meraki WiFi profile containing SSID and Certificate for an old deleted Network SSID is still pushed on all devices enrolled in EMM.
We are supposed to have only one the network of the second one has been deleted but profile still pushed to macs.
- SCEP Wifi Certificate is 2 times in the profile and push 2 times to the Macs ? Why ?
- As soon as you click on Reinstall on Meraki WiFi - Profile section it will regenerate a new certificate and WILL NOT delete old ones.
If I click 6 times, I will have 6 certificates on the Mac keychain
Does it means that If I exclude a computer from Sentry Wi-Fi security with a tag for exemple, he will still have access to it with "Old Certificates being present on the Keychain ?" even without profile the enduser can choose a network and a certificate manualy for a 802.1x SSID
- Naming of the profil that is pushed is kind of odd.
If you have 20 networks with this kind of Setup, you will have 20 times "Meraki WiFi" profile pushed.
IMO it should include Name of network + SSID or even better to combine all SSID within the same profile !
Mac OsDocumentation : https://documentation.meraki.com/MR/Encryption_and_Authentication/Certificate-based_WiFi_authenticat...
For your first issue, are you 100% positive this old SSID is not still configured anywhere in your Dashboard org? Typically the old Meraki WiFi profile should be removed when the old SSID is removed or changed to a non-Sentry auth type.
I'd love to hear feedback from the SM team on your other questions as I also see the same (odd) behavior.
I am 200% sure , we tried to reproduce it with support and couldn’t
- when you disable sentry from SSID, profile is removed
- when you remove the sentry tag from a computer, profile is removed
- without disabling sentry , deleting network profile is removed as well
I don’t know why with this network (deleted) it’s still pushed and couldn’t reproduce it .
What exactly are you seeing as odd behavior ?
Thank you
You raise an interesting point about revoking access to a network.
This is how it should work:
I have never personally validated this. The intention of a certificate is to prove who you are - like a username and password - and having a certificate (or username/password) alone should not provide authorisation.
ps. A 2048 bit certificate is similar in strength to a user having a 256 character password - except the "password" is generated algorithmically random rather than relying on a human to make and remember it.
In certificate systems I have worked with you don't usually delete old certificates. You simply revoke the users access to whatever system it is. In the same way that you don't delete a username just to prevent them from accessing one system.
Certificates can be exported. If you relied on a certificate simply being present for access, then the user could simply export it to a file, and then re-import it whenever they wanted access. Deleting the "stored" certificate would provide no real measure of security.
I didn’t try to export but I hope the certificate are installed with the flag none exportable , meaning that they can’t get export easily.
I will try , good point here.
I agree with you regarding the revoking.
Did you try ? Previous certificate are revoked and can’t get access to the WiFi SSID ?
I am wondering even this :
If a valide certificate could be use for another SSID that the user don’t have access to by joining manually the SSID and selecting the certificate (of the other SSID). I kind of doubt it and will give it a try .
3 week passed. nothing has moved.
It sounds like this may be an issue with the specific network/SSID that was removed. Do you have a case open with Support on this? You may need to get SM engineering involved to have it removed.
02905804 for case number.
None of my case have reach engineering team with proper output (Bug fixed.)
So I am not really hopping ...
Thank you all for the answers.
Ask the engineer assigned to check with the SM dev team. They have the ability to do this easily so it shouldn't be a problem.
Maybe you are a VIP Customer 😉
Out of 20 cases none of them got resolved .
Will do, thank you
Case 02905804:
I Spent 1h showing to support on Friday ( 5 days ago ) . No single update or answer on the case since then.
No one answers anymore and bugs still here .
It’s really not acceptable . I have never seen that !
Meraki, wake up !
8 days passed , no news neither from meraki in the community, neither on support
I've been having this issue as well for a couple months. I've tried contacting support but they haven't been much help. I have two networks with the same SSID with sentry enabled but that led to multiple certificates and our employee's WiFi constantly disconnecting.
Since August no move at all
This profil is not removable and get push even to all new device without possiblity to block it !
As we can see there is no NETWORK assign the link goes to
https://n210.meraki.com/n/undefined/manage
and If I click to SSID https://n210.meraki.com/n/undefined/manage/configure/access_control?ssid_number=
So Meraki remove this profil ASAP, It is that difficult to resolve this bug ? Do you really need 6 months to do this ?
+ I am adding one more :
When you click on Profile List / Meraki Wifi, It shows randomly the list of Device in the scope and that on all Profile
BR