Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Could someone please explain to me this "LDAP Server CA" business in MR Local Auth scenario?

Boyan1
Getting noticed
‎Mar 25 2023 10:59 AM
‎Mar 25 2023 10:59 AM

Could someone please explain to me this "LDAP Server CA" business in MR Local Auth scenario?

Hi everyone,

 

I'm trying to test "Enterprise with Local Auth" and use LDAP to verify user/password using one of our Windows domain controller which runs LDAP and is being used by other devices in identical capacity to verify credentials via LDAP. None of those devices reference nor require "LDAP Server CA"

 

What's that "LDAP Server CA" business? I clearly read that Meraki DOES NOT support Secure LDAP so what gives? How does one get said "LDAP Server CA" on a Windows 2019 domain controller? MR will not permit leaving that blank so I'm allowed to save the configuration without it?

 

Thanks
~B

 

 

Boyan1_0-1679767113113.png

 

 

Labels:
0 Kudos
Subscribe
5 Replies 5
alemabrahao
Kind of a big deal
Kind of a big deal
‎Mar 25 2023 11:42 AM
‎Mar 25 2023 11:42 AM

Take a look on the documentation.

 

https://documentation.meraki.com/MR/Encryption_and_Authentication/Meraki_Local_Authentication_-_MR_8...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to alemabrahao
Boyan1
Getting noticed
‎Mar 25 2023 1:47 PM
‎Mar 25 2023 1:47 PM

@alemabrahao Yes thanks for pointing out the obvious (no punt, just frustration) but STARTTLS is not native on Windows domain controllers; sure LDAPS is even a bigger hassle but whatever, it's just my own opinion. I just wish there was a way to disable "LDAP Server CA" altogether but why complain since Meraki's "Local Auth" doesn't support EAP-MSCHAPv2 anyway... 🙂 

0 Kudos
Subscribe
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 26 2023 2:35 PM
‎Mar 26 2023 2:35 PM

On Windows server you need to be using LDAPS.  The server will need a certificate on it.  That certificate has to be signed by a CA.  It would be an Enterprise CA (like the CA server included in Windows),or even a self signed certificate (in case case the certificate is also the CA certificate).

 

That CA certificate will need to get uploaded here.

0 Kudos
Subscribe
In response to PhilipDAth
Boyan1
Getting noticed
‎Mar 27 2023 7:00 AM
‎Mar 27 2023 7:00 AM

@PhilipDAth Hi and thank you for the quick reply. Wait, I see possible confusion, from what I have read, STARTTLS is totally different from LDAPS; while the end game is similar, namely to achieve secure LDAP, mechanically those are 2 different things, implemented differently and incompatible - in other words if MR supports STARTTLS it won't talk to LDAPS end point. What's your take?

0 Kudos
Subscribe
In response to Boyan1
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 27 2023 11:10 AM
‎Mar 27 2023 11:10 AM

LDAPS is LDAP run over TLS.

 

STARTTLS is the command you send after you connect to say you want to change to using TLS.

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.