Meraki

Community

Error when trying to save Enterprise with Local Auth - WAP incompatible with association type

Solved
Claudiosm
Here to help
‎Apr 14 2023 1:37 AM
‎Apr 14 2023 1:37 AM

Error when trying to save Enterprise with Local Auth - WAP incompatible with association type

I'm trying to set up Enterprise with Local Auth validated with 802.1X at association time and Password authentication(not certificate). The idea is to use my LDAP server, which is okta, and the RADIUS server INSIDE the MR42 and i did:

 

  1. Put the OKTA LDAP server info
  2. Admin LDAP Account
  3. DN
  4. LDAP Server CA ==>> https://support.okta.com/help/s/article/Okta-LDAP-Interface-Certificate-Update?language=en_US

 

But when I try to save the changes, no matter what i do, i get this error:

 

 

There were errors in saving this configuration:

WPA encryption mode is incompatible with association type.

 

 

Screenshot 2023-04-14 at 1.25.59 AM.png

Screenshot 2023-04-14 at 1.23.25 AM.png

Not sure if some info is wrong on my side or the creds or the cert, and that triggers that error because I can't see a way to change the WPA encryption mode. 
 
Thanks for your time.
Labels:
0 Kudos
1 Accepted Solution
TiloC
New here
‎May 12 2023 5:16 AM
‎May 12 2023 5:16 AM

I can confirm the bug. In the SSID Access control settings when I switch to the new config/ dashboard version it isn't possible to save after switch the WPA encryption mode to "WPA2 only". Go to the "old version" then saving works.

Access Control 2 - Meraki Dashboard.png

 

View solution in original post

0 Kudos
9 Replies 9
alemabrahao
Kind of a big deal
Kind of a big deal
‎Apr 14 2023 1:13 PM
‎Apr 14 2023 1:13 PM

Have you tried changing this config?

 

 

alemabrahao_0-1681503192958.png

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Claudiosm
Here to help
‎Apr 14 2023 1:59 PM
‎Apr 14 2023 1:59 PM

Hi @alemabrahao !

 

I tried different Values on the LDAP configuration, I suspect the error is technically something there but I can't pass this. Could be the port? I set up other LDAP integrations in the past(Printing/SCIM), but since are only doing directory searches don't usually require a Port.


I got the info from the OKTA documentation here:

 

 https://help.okta.com/oie/en-us/Content/Topics/Directory/LDAP-interface-connection-settings.htm 

 

And the format Meraki points out in the fields are:

 

Screenshot 2023-04-14 at 1.56.00 PM.png

 I believe they align with what I completed, as shown in my previous post.

 

The error is not super specific either, which I have seen before on the Meraki dashboard when configuring other stuff.

 

I am just trying to find out what I'm doing wrong.

 

Any help is appreciated.

0 Kudos
In response to Claudiosm
alemabrahao
Kind of a big deal
Kind of a big deal
‎Apr 14 2023 4:10 PM
‎Apr 14 2023 4:10 PM

What version are you running? Have you tried with another firmware version? Maybe It could be a bug.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
Claudiosm
Here to help
‎Apr 14 2023 4:59 PM
‎Apr 14 2023 4:59 PM

I'm running: 

 

MS 14.33.1 on the MS120-48LP Switch ==> I have scheduled one update for Next Week

MR 29.5.1 on the MR42 Access Points ==> Current Version

MX 17.10.2 on the MX250 Security Appliance ==> Upgrade scheduled for May.

 

Would you recommend doing the switch earlier? It does look like a glitch, but again, I can't say for sure.

 

About WPA encryption, we only have those two options, and that's it. Get the same error no matter what i select.

 

Screenshot 2023-04-14 at 4.56.31 PM.png

 

0 Kudos
In response to Claudiosm
alemabrahao
Kind of a big deal
Kind of a big deal
‎Apr 14 2023 5:15 PM
‎Apr 14 2023 5:15 PM

Have you tried another MR version?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Claudiosm
Here to help
‎Apr 14 2023 5:36 PM
‎Apr 14 2023 5:36 PM

On the Hard, all APs are MR42s. On the firmware, I didn't but I can upgrade and see if that makes any difference.

0 Kudos
Claudiosm
Here to help
‎Apr 15 2023 1:14 PM
‎Apr 15 2023 1:14 PM

Last night I performed the latest Firmware update on the switch, and now both my APs and Switch are updated, still not able to save settings without hitting the same error:

 

 

There were errors in saving this configuration:

WPA encryption mode is incompatible with association type.

 

 

On the security tab, Meraki doesn't like or seem incompatible with WPA2 Enterprise with Local Auth, but I can't set up security without WPA1/WPA2(in the case of not being compatible). Now, if I set up security as open but then I select the splash page with my LDAP server, that does work... (but with no Encryption). 

 

I read all of these articles:

 

https://documentation.meraki.com/MR/Encryption_and_Authentication/External_Identity_Sources

https://documentation.meraki.com/MR/Encryption_and_Authentication/Meraki_Local_Authentication_-_MR_8...

 

https://documentation.meraki.com/MR/Wi-Fi_Basics_and_Best_Practices/Wireless_Fundamentals%3A_Encrypt...

 

 

  • WPA2 – Enterprise

    WPA2 Enterprise utilizes authentication on a user level, using the 802.1x standard, along with the features of WPA2 such as AES. Cisco Meraki fully supports WPA2 Enterprise association with RADIUS and PEAP/MSCHAPv2, or Meraki Authentication, to provide a secure wireless network for enterprise use. users log in with a valid username and password to authenticate instead of a pre-shared key susceptible to social engineering. 

  • Splash Page

    Cisco Meraki provides a variety of splash pages that can be utilized for additional security.

    • Sign on with Authentication - Forces users to authentication through a sign on page using various types of Authentication including RADIUS, LDAP, and Meraki Authentication.
    • Sign on with SMS Authentication - Forces users to authenticate with an SMS code that they would receive on their phone.
    • Systems Manager Sentry - Utilizes Cisco Meraki Systems Manager, users will need to install the manager client on their computer, their device can then be viewed on a Systems Manager network.

    Splash Pages can be used with or without a WPA/WEP solution as well.

 

So Local Auth LDAP Authentication is not compatible without a splash page? 

0 Kudos
Claudiosm
Here to help
‎Apr 15 2023 1:59 PM
‎Apr 15 2023 1:59 PM

This was a GUI Dashboard bug all the way! 

 

WPA encryption mode is incompatible with association type: it's a dashboard bug; set the network to WPA2 with preshared key, set a password, save, then configure the Local auth

 

After doing that all set!

 

(thank you Isaac if you are reading this).

TiloC
New here
‎May 12 2023 5:16 AM
‎May 12 2023 5:16 AM

I can confirm the bug. In the SSID Access control settings when I switch to the new config/ dashboard version it isn't possible to save after switch the WPA encryption mode to "WPA2 only". Go to the "old version" then saving works.

Access Control 2 - Meraki Dashboard.png

 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.