Certificate based Enterprise Local Auth

Solved
MauroJK
Here to help

Certificate based Enterprise Local Auth

We are creating Some Hotspots of our own that IS NOT Connected to our corporate network. 
But i have to create a secure way for our devices to connect to those HotSpot Seamsly, in the same way that they do at Corporate Network.
On Corporate , we Have Certificate Based Authentication based on internal Radius Servers. But on HotSpot networks. Internal Radius Server are not available and we dont wish to make Radius Server Public on the Internet.

the idea is to configure the local Certificate Based Authentication (EAP-TLS) on the SSID

The Devices have already a Personal Certificate Issued by our Private CA and Deployed via MDM. 
The devices also already trust the whole Chain of that Private CA Root and Subordinates. And are configgured to Join that SSID by authenticating WPA2 Enterprise using it own certificate.

I Dont want to deploy and configure the devices to trust IdenTrust. cause we have already that working configuration on ALL Devices.

My Goal is to replace Identrust Certificate with my own CA Root Chain
and authenticate the devices based on the configuration and certificate that they already have.

 

I have searched and didnt find a proper documentation for that scenario.
There is a Guide for CSR Generation for the PEM that should be imported on Meraki in replacement of IdenTrust?

1 Accepted Solution
KarstenI
Kind of a big deal
Kind of a big deal

That would be a completely new feature. Put it in the feedback box in the lower right corner of the dashboard.

And I would assume that this will be available as Cloud NAC sooner or later.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

View solution in original post

3 Replies 3
KarstenI
Kind of a big deal
Kind of a big deal

Local Auth is not meant to be implemented that way. Although I initially thought it would be a good idea to have it handled by my own CA, just keep in mind that *every* AP needs to get a certificate from your CA. It doesn't make any sense if there is no automatic approach to enroll all APs in your CA. With the Meraki CA, it is automated.

It's not that it wouldn't be possible, but it would probably take a lot of effort for Meraki to make it work for private CA solutions.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
MauroJK
Here to help

There isnt a way to use TLS on Dashboard in the same way that is possible to Proxy the Radius via the Centralized Proxy on dashboard?
This way, we would need only to install the CA PEM Chain on Dashboard, not in all APs.

KarstenI
Kind of a big deal
Kind of a big deal

That would be a completely new feature. Put it in the feedback box in the lower right corner of the dashboard.

And I would assume that this will be available as Cloud NAC sooner or later.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels