Could someone please explain to me this "LDAP Server CA" business in MR Local Auth scenario?

Boyan1
Getting noticed

Could someone please explain to me this "LDAP Server CA" business in MR Local Auth scenario?

Hi everyone,

 

I'm trying to test "Enterprise with Local Auth" and use LDAP to verify user/password using one of our Windows domain controller which runs LDAP and is being used by other devices in identical capacity to verify credentials via LDAP. None of those devices reference nor require "LDAP Server CA"

 

What's that "LDAP Server CA" business? I clearly read that Meraki DOES NOT support Secure LDAP so what gives? How does one get said "LDAP Server CA" on a Windows 2019 domain controller? MR will not permit leaving that blank so I'm allowed to save the configuration without it?

 

Thanks
~B

 

 

Boyan1_0-1679767113113.png

 

 

5 Replies 5
alemabrahao
Kind of a big deal
Kind of a big deal

Take a look on the documentation.

 

https://documentation.meraki.com/MR/Encryption_and_Authentication/Meraki_Local_Authentication_-_MR_8...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Boyan1
Getting noticed

@alemabrahao Yes thanks for pointing out the obvious (no punt, just frustration) but STARTTLS is not native on Windows domain controllers; sure LDAPS is even a bigger hassle but whatever, it's just my own opinion. I just wish there was a way to disable "LDAP Server CA" altogether but why complain since Meraki's "Local Auth" doesn't support EAP-MSCHAPv2 anyway... 🙂 

PhilipDAth
Kind of a big deal
Kind of a big deal

On Windows server you need to be using LDAPS.  The server will need a certificate on it.  That certificate has to be signed by a CA.  It would be an Enterprise CA (like the CA server included in Windows),or even a self signed certificate (in case case the certificate is also the CA certificate).

 

That CA certificate will need to get uploaded here.

Boyan1
Getting noticed

@PhilipDAth Hi and thank you for the quick reply. Wait, I see possible confusion, from what I have read, STARTTLS is totally different from LDAPS; while the end game is similar, namely to achieve secure LDAP, mechanically those are 2 different things, implemented differently and incompatible - in other words if MR supports STARTTLS it won't talk to LDAPS end point. What's your take?

PhilipDAth
Kind of a big deal
Kind of a big deal

LDAPS is LDAP run over TLS.

 

STARTTLS is the command you send after you connect to say you want to change to using TLS.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels