Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Certificate based Enterprise Local Auth

MauroJK
Conversationalist
Saturday
Saturday

Certificate based Enterprise Local Auth

We are creating Some Hotspots of our own that IS NOT Connected to our corporate network. 
But i have to create a secure way for our devices to connect to those HotSpot Seamsly, in the same way that they do at Corporate Network.
On Corporate , we Have Certificate Based Authentication based on internal Radius Servers. But on HotSpot networks. Internal Radius Server are not available and we dont wish to make Radius Server Public on the Internet.

the idea is to configure the local Certificate Based Authentication (EAP-TLS) on the SSID

The Devices have already a Personal Certificate Issued by our Private CA and Deployed via MDM. 
The devices also already trust the whole Chain of that Private CA Root and Subordinates. And are configgured to Join that SSID by authenticating WPA2 Enterprise using it own certificate.

I Dont want to deploy and configure the devices to trust IdenTrust. cause we have already that working configuration on ALL Devices.

My Goal is to replace Identrust Certificate with my own CA Root Chain
and authenticate the devices based on the configuration and certificate that they already have.

 

I have searched and didnt find a proper documentation for that scenario.
There is a Guide for CSR Generation for the PEM that should be imported on Meraki in replacement of IdenTrust?

Labels:
0 Kudos
Subscribe
3 Replies 3
KarstenI
Kind of a big deal
Kind of a big deal
Saturday
Saturday

Local Auth is not meant to be implemented that way. Although I initially thought it would be a good idea to have it handled by my own CA, just keep in mind that *every* AP needs to get a certificate from your CA. It doesn't make any sense if there is no automatic approach to enroll all APs in your CA. With the Meraki CA, it is automated.

It's not that it wouldn't be possible, but it would probably take a lot of effort for Meraki to make it work for private CA solutions.

Subscribe
In response to KarstenI
MauroJK
Conversationalist
Sunday
Sunday

There isnt a way to use TLS on Dashboard in the same way that is possible to Proxy the Radius via the Centralized Proxy on dashboard?
This way, we would need only to install the CA PEM Chain on Dashboard, not in all APs.

0 Kudos
Subscribe
In response to MauroJK
KarstenI
Kind of a big deal
Kind of a big deal
Sunday
Sunday

That would be a completely new feature. Put it in the feedback box in the lower right corner of the dashboard.

And I would assume that this will be available as Cloud NAC sooner or later.

Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.