Local Auth issues with Android devices

Solved
PPatel
Conversationalist

Local Auth issues with Android devices

Hi Guys,

 

I am trying to get Meraki local authentication working for Wi-Fi device with eap-tls authentication.

 

Current topology:

- Azure AD joined windows and android devices (dedicated).

- SCEP certs deployed to clients.

- Root cert uploaded to meraki wifi ssid with local auth enabled.

- OCSP configured and test.

- Wi-Fi profile getting deployed via Intune.

 

What works:

- Windows clients can successfully connect to Wi-Fi with EAP-TLS when using this setup and OCSP checks work as well.

 

What does not work:

- Android devices fail the authentication when using "anonmyous" as outer identity (identity privacy).

 

What I have tried.

- Turning off OCSP verification - Does not help.

-  Start a packet capture with wireshark - I can see that the client send the correct certificate to Meraki however gets a EAP failure code - trying to figure out why.

 

Workaround I found:

- When deploying the Wi-Fi configuration changing the outer identity field to the common name of the device certificate makes this authentication work.

 

However, this is not ideal as you will need to deploy a separate profile to each device with their own cert Common name as outer identity which would be a management nightmare.

Also, based on my experience the outer identity text should not matter as it is just used to create a secure tunnel to send inner identity credentials.

 

I am looking for some help to resolve this issue.

 

Thanks!

 

1 Accepted Solution
PPatel
Conversationalist

Found the solution for this issue after working with Meraki support.

Apparently, either the Common Name or Subject Alternative Name of the SCEP cert deployed to android devices must match the outer identity configured in the Wi-Fi profile for Meraki AP to accept it. Issuing a new certificate with a different SAN and using this value as the outer identity in the Wi-Fi profile deployed by Intune, resolved the issue.

View solution in original post

7 Replies 7
TBHPTL
A model citizen

EAP-TLS with which protocol WPA2 or WPA3?

PPatel
Conversationalist

WAP2

TBHPTL
A model citizen

Are you using an alternate management interface for RADIUS?

PPatel
Conversationalist

Hi,

 

Sorry for the delayed reply. We are not using the alternate management interface.

PPatel
Conversationalist

Found the solution for this issue after working with Meraki support.

Apparently, either the Common Name or Subject Alternative Name of the SCEP cert deployed to android devices must match the outer identity configured in the Wi-Fi profile for Meraki AP to accept it. Issuing a new certificate with a different SAN and using this value as the outer identity in the Wi-Fi profile deployed by Intune, resolved the issue.

PietK
New here

Hi - We are also trying to get this to work (exact the same topology)  but not able to get this working with certificate on a WIN10 client. User auth is working well (local auth with  SLDAP AAD). Meraki AP is showing a problem with the internal Radius of the MR:

 

Client failed 802.1X authentication to the RADIUS server. auth_mode='wpa2-802.1x' radius_proto='ipv4' radius_ip='127.0.0.1' reason='radius_login_failure' radio='1' vap='0' channel='44' rssi='47'

 

and

 

Client made an 802.1X authentication request to the RADIUS server, but it did not respond. auth_mode='wpa2-802.1x' radius_proto='ipv4' radius_ip='127.0.0.1' details='conn_refused' reason='radius_timeout' radio='1' vap='0' channel='44' rssi='48'

 

At this point meraki support is looking in to this problem but for now no sollution yet. We have tested with a MR33 and CW9166I accespoint. MB we are doing some wrong configuration (followed this reference https://documentation.meraki.com/MR/Encryption_and_Authentication/Meraki_Local_Authentication_-_MR_8...)

 

Is it possible that you can share some configuration to check if we have the correct setup.

 

Thanks in advance - PietK

 

Bdcvc
Conversationalist

Hi, we just resolved this issue. 
Solution : Install the IdenTrust Root CA 1 certificate on your end devices.
Please refer to : : https://documentation.meraki.com/MR/Encryption_and_Authentication/Meraki_Local_Authentication_-_MR_8...

 

 

 

Auth. configuration-2.JPG

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels