Do EAP-TLS with MS CA but without RADIUS


Do EAP-TLS with MS CA but without RADIUS

Hi all


Understanding Meraki can use tag configured by System Manager to do something like cert auth without using RADIUS (Detail in the link below).


Does Meraki provide a method to do EAP-TLS with the existing MS PKI deployed but not deploying RADIUS and system manager app/enrollment?


Best regards


Alex Tsang


Kind of a big deal

Thanks Karstenl


I checked the document, would like to see my below understanding is correct or not for the local auth.


1. If using password based  - say EAP-TTLS/PAP, LDAP must be exist for the every user first login? Then MR will cache a hash of the credentials, so user can still login is LDAP is unavailable?

2. For the certificate based authentication - EAP-TLS, user can login to the SSID with a valid certificate issued by the issuing CA if the below requirement met. No external Radius and LDAP is required.


2.1 We will import the issuing CA certificate to the MR 



2.2 Do not verify certificate with LDAP setting configured in LDAP option


2.3 Client's endpoint trust IdenTrust CA root cert

3. Maximum cache timeout is 24 hours, so is that the LDAP server must be resumed with 24 hours? Otherwise user cache expired and then client cannot login to that SSID?

1: Yes, at the moment only one LDAP-Server can be specified. With this caching, users can still connect if this LDAP-server is down. But still it's a single point of failure that can easily avoided with RADIUS.

2: Right, but it's perhaps not a bad idea to take the CN or a SAN from the certificate and query it against LDAP. Otherwise you can't easily lock out a user that still has his certificate bat doesn't belong to the company any more.

3: Yes, 1d is the max. If you have doubts that in case a recovery takes more time, I would directly go for redundant RADIUS servers.

Kind of a big deal


Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.