Meraki

Community

Local Auth issues with Android devices

Solved
PPatel
Conversationalist
‎Jun 5 2023 7:09 AM
‎Jun 5 2023 7:09 AM

Local Auth issues with Android devices

Hi Guys,

 

I am trying to get Meraki local authentication working for Wi-Fi device with eap-tls authentication.

 

Current topology:

- Azure AD joined windows and android devices (dedicated).

- SCEP certs deployed to clients.

- Root cert uploaded to meraki wifi ssid with local auth enabled.

- OCSP configured and test.

- Wi-Fi profile getting deployed via Intune.

 

What works:

- Windows clients can successfully connect to Wi-Fi with EAP-TLS when using this setup and OCSP checks work as well.

 

What does not work:

- Android devices fail the authentication when using "anonmyous" as outer identity (identity privacy).

 

What I have tried.

- Turning off OCSP verification - Does not help.

-  Start a packet capture with wireshark - I can see that the client send the correct certificate to Meraki however gets a EAP failure code - trying to figure out why.

 

Workaround I found:

- When deploying the Wi-Fi configuration changing the outer identity field to the common name of the device certificate makes this authentication work.

 

However, this is not ideal as you will need to deploy a separate profile to each device with their own cert Common name as outer identity which would be a management nightmare.

Also, based on my experience the outer identity text should not matter as it is just used to create a secure tunnel to send inner identity credentials.

 

I am looking for some help to resolve this issue.

 

Thanks!

 

0 Kudos
1 Accepted Solution
PPatel
Conversationalist
‎Jun 20 2023 5:46 AM
‎Jun 20 2023 5:46 AM

Found the solution for this issue after working with Meraki support.

Apparently, either the Common Name or Subject Alternative Name of the SCEP cert deployed to android devices must match the outer identity configured in the Wi-Fi profile for Meraki AP to accept it. Issuing a new certificate with a different SAN and using this value as the outer identity in the Wi-Fi profile deployed by Intune, resolved the issue.

View solution in original post

7 Replies 7
TBHPTL
A model citizen
‎Jun 5 2023 8:26 AM
‎Jun 5 2023 8:26 AM

EAP-TLS with which protocol WPA2 or WPA3?

0 Kudos
In response to TBHPTL
PPatel
Conversationalist
‎Jun 5 2023 10:19 AM
‎Jun 5 2023 10:19 AM

WAP2

0 Kudos
In response to PPatel
TBHPTL
A model citizen
‎Jun 5 2023 1:19 PM
‎Jun 5 2023 1:19 PM

Are you using an alternate management interface for RADIUS?

0 Kudos
In response to TBHPTL
PPatel
Conversationalist
‎Jun 7 2023 6:43 AM
‎Jun 7 2023 6:43 AM

Hi,

 

Sorry for the delayed reply. We are not using the alternate management interface.

0 Kudos
PPatel
Conversationalist
‎Jun 20 2023 5:46 AM
‎Jun 20 2023 5:46 AM

Found the solution for this issue after working with Meraki support.

Apparently, either the Common Name or Subject Alternative Name of the SCEP cert deployed to android devices must match the outer identity configured in the Wi-Fi profile for Meraki AP to accept it. Issuing a new certificate with a different SAN and using this value as the outer identity in the Wi-Fi profile deployed by Intune, resolved the issue.

PietK
New here
‎Sep 14 2023 8:27 AM
‎Sep 14 2023 8:27 AM

Hi - We are also trying to get this to work (exact the same topology)  but not able to get this working with certificate on a WIN10 client. User auth is working well (local auth with  SLDAP AAD). Meraki AP is showing a problem with the internal Radius of the MR:

 

Client failed 802.1X authentication to the RADIUS server. auth_mode='wpa2-802.1x' radius_proto='ipv4' radius_ip='127.0.0.1' reason='radius_login_failure' radio='1' vap='0' channel='44' rssi='47'

 

and

 

Client made an 802.1X authentication request to the RADIUS server, but it did not respond. auth_mode='wpa2-802.1x' radius_proto='ipv4' radius_ip='127.0.0.1' details='conn_refused' reason='radius_timeout' radio='1' vap='0' channel='44' rssi='48'

 

At this point meraki support is looking in to this problem but for now no sollution yet. We have tested with a MR33 and CW9166I accespoint. MB we are doing some wrong configuration (followed this reference https://documentation.meraki.com/MR/Encryption_and_Authentication/Meraki_Local_Authentication_-_MR_8...)

 

Is it possible that you can share some configuration to check if we have the correct setup.

 

Thanks in advance - PietK

 

0 Kudos
In response to PietK
Bdcvc
Conversationalist
‎Sep 15 2023 6:22 AM
‎Sep 15 2023 6:22 AM

Hi, we just resolved this issue. 
Solution : Install the IdenTrust Root CA 1 certificate on your end devices.
Please refer to : : https://documentation.meraki.com/MR/Encryption_and_Authentication/Meraki_Local_Authentication_-_MR_8...

 

 

 

Auth. configuration-2.JPG

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.