Meraki Community

Boyan1 · ‎Apr 1 2024

Hi everyone,

It's April of 2024, Microsoft Cloud PKI for Microsoft Intune has been out for some time and it looks very promising for AAD-only joined devices but how do we hook our MRs to it so one can do enterprise 802.11x based on PKI certificate auth (device based auth)?

https://learn.microsoft.com/en-us/mem/intune/protect/microsoft-cloud-pki-overview

I know how to do it the legacy way, with on-prem CA etc EAP-TLS and RADIUS as the last mile authenticator to the Meraki AP but this "Cloud PKI" is totally new. It promises to eliminate on-prem CA, the InTune connector and ton of other heavy weight.

Anyone gone down that road? What endpoint would the APs talk to? What profile to setup the SSID under? So many unknowns?

Thanks

~B

PhilipDAth · ‎Apr 1 2024

Already done it.

Configure the SSID to use local auth with certificate authentication. Upload your CloudPKI certificate. Works great.

https://documentation.meraki.com/MR/Encryption_and_Authentication/Meraki_Local_Authentication_-_MR_8...

Boyan1 · ‎Apr 1 2024

@PhilipDAth Thank you but what do you plug here? Azure Cloud PKI does NOT expose any end points on the public Internet to where the MR can be pointed to?

Brash · ‎Apr 1 2024

In the image here, you have certificate auth disabled.

Following what @PhilipDAth said, you need to enable it.

Speedbird1 · ‎Apr 3 2024

I was just looking at this and its damn expensive

2000 devices/users somewhere in the region of £34000 per annum as a standalone Addon.

You would think MS would include this in enterprise licences.

jrhop

Under our account it looks to be £1.64 per licence/per month. Think the pricing is similar to SCEPMan with support.

RobinHelmig · ‎Apr 9 2024

When running a test to install the certificate i get the follower error

PhilipDAth · ‎Apr 9 2024

In Cloud PKI, there are two different formats for downloading the root CA. You need to download the other format.

jrhop

Hi @PhilipDAth I am now testing this and stuck at the same point, I will have one option to download from Microsoft Cloud PKI and it downloads as .cer. Meraki says this is invalid. Any help would be much appreciated!

jrhop

Got it working now @PhilipDAth @RobinHelmig opened the cert and Details tab - copy to file and choose second option, even though it saves as CER you can upload it into Meraki.

TJONES-614

@RobinHelmig Did you get the correct format uploaded? I'm not seeing where the other format is available. Or do you download the .cer file and convert it to PEM?

RobinHelmig

No i did not, i'm short on time at the moment.

jrhop

Did you get this working @TJONES-614 ? Is it the same certificate mentioned here https://learn.microsoft.com/en-us/mem/intune/protect/microsoft-cloud-pki-configure-ca#create-trusted...

TJONES-614

I don't have it working. However, I did deploy the trusted root and issuing certificates. Once created, I used OpenSSL to convert the certificates into the PEM format.

jrhop

I have it working pointing to the Meraki Local Auth and via NPS, the Local Auth method seems to take a long time to authenticate and I did have to reboot the AP to get it working. The lack of OCSP with Cloud PKI is a bit disappointing, only have CRL, which the Meraki Local Auth doesn't seem to support.

Meraki Community

Azure Cloud PKI is now released; how do we hook Meraki AP to it?

Azure Cloud PKI is now released; how do we hook Meraki AP to it?