Enterprise with Local Auth with LDAP - Can use OKTA without on PREM Server?

Claudiosm
Here to help

Enterprise with Local Auth with LDAP - Can use OKTA without on PREM Server?

So reading this:

 

https://documentation.meraki.com/MR/Encryption_and_Authentication/Meraki_Local_Authentication_-_MR_8...

 

I thought, well, let's use OKTA as LDAP for local auth, and so far, after a lot of back and for i was getting communication between Meraki and LDAP

 

Screenshot 2023-05-17 at 2.50.08 PM.png

 I can get communication on the testing side so clearly Meraki can communicate with OKTA as LDAP on port 389

 

Screenshot 2023-05-16 at 4.53.18 PM.png

 

Now on site, clearly the AP is not responding to the clients attempting to authenticate:

 

Client made an 802.1X authentication request to the RADIUS server, but it did not respond.auth_mode='wpa2-802.1x' vlan_id='7' radius_proto='ipv4' radius_ip='127.0.0.1' reason='radius_timeout' radio='1' vap='5' channel='40' rssi='45'

My intention was something like the next:

 

The AP will accept 802.1x connections, hand it off to 127.0.0.1 for RADIUS and that will then reach out to Okta
 
Or you feed it a private CA cert to trust, and it will verify the certificates clients hand it.(which i did, using OKTA Certs)
 

Is this technically possible or I'm just dreaming? Meraki support told me, maybe, then no BUT they sent me to ask OKTA.

I just want to understand why I would need a local Radius Server at all when in theory, the LDAP entity is our OKTA instance and I'm able to connect with Meraki.

Any help will be appreciated.
 
 
3 Replies 3
Claudiosm
Here to help

Something to add to whoever read this and they want to help me, if i choose no encryption and i leave the authentication to be handed to the splash page, authentication to that ldap sever(okta) to port 389 it works.! 

 

So I'm sure this is something happening on the encryption side with the AP... not sure what exactly.

Claudiosm
Here to help

Has anyone EVER implemented this?

Claudiosm
Here to help

Answering my own thread but here we go:

 

Short answer is YES, you can use local auth without on prem, as far you have some sort of LDAP somewhere(okta in our case). For Local Auth to work and be able to pass authentication when the radius built on each AP is requested, in each client, EAP-TTLS + PAP has to be configured. We can potentially push an MDM Profile with these settings, I believe, both on Macs and Windows 10 clients; here some details:

 

Screenshot 2023-05-20 at 4.51.22 PM.png

 

https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_EAP-TTLS___PAP_Authent...

 

and MacOs

 

https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_EAP-TTLS___PAP_Authent...

 

in a few words, because of the security implications, best route would be to require a cert as well(buying from digicert or someone of the sort) to enforce EAP-TLS over EAP-TTLS/PAP

 

Screenshot 2023-05-20 at 1.40.16 PM.png

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels