So reading this:
I thought, well, let's use OKTA as LDAP for local auth, and so far, after a lot of back and for i was getting communication between Meraki and LDAP
I can get communication on the testing side so clearly Meraki can communicate with OKTA as LDAP on port 389
Now on site, clearly the AP is not responding to the clients attempting to authenticate:
Client made an 802.1X authentication request to the RADIUS server, but it did not respond.auth_mode='wpa2-802.1x' vlan_id='7' radius_proto='ipv4' radius_ip='127.0.0.1' reason='radius_timeout' radio='1' vap='5' channel='40' rssi='45'
My intention was something like the next:
Is this technically possible or I'm just dreaming? Meraki support told me, maybe, then no BUT they sent me to ask OKTA.
I just want to understand why I would need a local Radius Server at all when in theory, the LDAP entity is our OKTA instance and I'm able to connect with Meraki.
Any help will be appreciated.
Answering my own thread but here we go:
Short answer is YES, you can use local auth without on prem, as far you have some sort of LDAP somewhere(okta in our case). For Local Auth to work and be able to pass authentication when the radius built on each AP is requested, in each client, EAP-TTLS + PAP has to be configured. We can potentially push an MDM Profile with these settings, I believe, both on Macs and Windows 10 clients; here some details:
and MacOs
in a few words, because of the security implications, best route would be to require a cert as well(buying from digicert or someone of the sort) to enforce EAP-TLS over EAP-TTLS/PAP
