cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Enterprise with Local Auth - how to generate Client Certificate CA

Highlighted
Comes here often

Enterprise with Local Auth - how to generate Client Certificate CA

Hello everyone! 

I was thinking of testing the Enterprise with Local Auth authentication method here at home, but I wonder what would be the correct way to generate/upload the Client Certificate CA and generate client certificates...

Mac user here..

 

Thanks in advance,

LG

4 REPLIES 4
Highlighted
Kind of a big deal

Re: Enterprise with Local Auth - how to generate Client Certificate CA

Are you going to use a RADIUS server to authenticate the user certificates?

 

The "Local Auth" system is only for caching responses so the system can continue to allow people on who have previously been on.

https://documentation.meraki.com/MR/Encryption_and_Authentication/Meraki_Local_Authentication_-_MR_8... 

Highlighted
Comes here often

Re: Enterprise with Local Auth - how to generate Client Certificate CA

Thanks for replying Philip!

I was not going to use Radius.. What if you don't configure the certificate verification? It isn't mandatory in the config and as such, there isn't a field to enter any radius server (well, only accounting, but not mandatory as well)

 

With that said, in the end, with this config below in mind, the AP does not know what are the users or certificates that it needs to validate? 

Screen Shot 2020-07-06 at 20.53.29.png

Highlighted
Kind of a big deal

Re: Enterprise with Local Auth - how to generate Client Certificate CA

This config only works when you use a RADIUS server.  It caches the RADIUS server saying to allow (or deny) access.  There there is no RADIUS server to give the response, there is nothing to cache.  Only the cache is used to say weather access is to be granted or not.

 

 

Highlighted
Comes here often

Re: Enterprise with Local Auth - how to generate Client Certificate CA

What about this? 

"Otherwise, leave the LDAP option set to Do not verify certificate with LDAP. Note that in this case, any wireless device that presents a valid certificate will be able to connect to the SSID regardless of the permissions set for that device/user."

 

It just seems that, if I upload the Client Certificate CA and the client certificate matches the one uploaded, the MR will accept the client, not having to previously cache anything from an external radius..

 

Doesn't make sense? At least it is a way to interpret the documentation about Certificate Caching/Auth. Even the 

 

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.