Thanks Karstenl

I checked the document, would like to see my below understanding is correct or not for the local auth.

1. If using password based  - say EAP-TTLS/PAP, LDAP must be exist for the every user first login? Then MR will cache a hash of the credentials, so user can still login is LDAP is unavailable?

2. For the certificate based authentication - EAP-TLS, user can login to the SSID with a valid certificate issued by the issuing CA if the below requirement met. No external Radius and LDAP is required.

2.1 We will import the issuing CA certificate to the MR 

2.2 Do not verify certificate with LDAP setting configured in LDAP option

2.3 Client's endpoint trust IdenTrust CA root cert

3. Maximum cache timeout is 24 hours, so is that the LDAP server must be resumed with 24 hours? Otherwise user cache expired and then client cannot login to that SSID?

1: Yes, at the moment only one LDAP-Server can be specified. With this caching, users can still connect if this LDAP-server is down. But still it's a single point of failure that can easily avoided with RADIUS.

2: Right, but it's perhaps not a bad idea to take the CN or a SAN from the certificate and query it against LDAP. Otherwise you can't easily lock out a user that still has his certificate bat doesn't belong to the company any more.

3: Yes, 1d is the max. If you have doubts that in case a recovery takes more time, I would directly go for redundant RADIUS servers.