Local Auth

Ihatemerakis
Here to help

Local Auth

I've been playing round with this feature the past week and have some questions about it. Here is my situation:

 

1. We are going through a merger, one that hasn't been very well organized from an endpoint perspective. Both domains have EAP-TLS configured, with machine certs issues via internal PKI, GPOs pushed to use EAP-TLS for specific SSID, etc.

 

2. I have a need to find a way for machines from both domains to be able to connect to existing SSIDs on my network. Obviously, something like PSK is an option, but not ideal for obvious solutions. At a certain point in the near future machines and users will start to be migrated to the other domain. I honestly don't know if they will lose their PKI issued or machine certs or the GPO with the EAP-TLS settings, I'm assuming so.

 

3. I had the idea of using local auth and having a "generic" client auth cert pushed by all computers on both sides. Uploading the CA to the dashboard, and possibly enabling computers on both sides authenticate to the same SSID regardless of which domain the computer was imaged on. 

 

4. When I upload the CA our current computers machine certs are signed by and enable local auth it works like a charm.

 

5. I used OpenSSL to create a new CA, server cert, and client cert. Uploaded the CA to the dashboard, installed the client cert on a test machine. Doesn't work. I've tried every combination of Windows settings for that SSID. I've tried uploading the CA, the server cert, and the client cert to the dashboard. I just get generic messages like "can't connect to this network". I honestly don't know why. The CA in in the dashboard. A client cert signed by that CA in on the machine. In my mind it should work. Yes, the CA is also installed on the machine as a trusted root CA.

 

Is this even possible or am I banging my head against a wall?

3 Replies 3
FernandoHVoIP
Comes here often

Sounds like a good temporary action plan. Local auth it's just having the RADIUS server on the MR itself. 

I would compare the existing (working) and created certificates to identify any discrepancies in key usage, EKUs, SANs, issuer information, etc. Also verify the CSR used to create the new (test) certificate to ensure it has the necessary information. 

 

If you are still seeing the "can't connect to this network" message, check the MR logs on that timeframe, they should give more information about the root cause.

PhilipDAth
Kind of a big deal
Kind of a big deal

I have not tested this, but if you use LOCAL EAP-TLS auth on the Meraki APs, I suspect if you just put both root CAs into a single file and upload it - it will allow authentication with a certificate issue by either CA.

 

If you are using Active Directory and Windows CA, you can form an AD trust relationship between the two domains, and trust each others users, computers (and certificates as a consequence).

 

If you are using some other RADIUS solution, you might be able to tell it to simply trust any certificate issued by the CA of either organisation.

 

Another option is to enrol machines with both CAs - so it has a certificate with each and can authenticate against either system.

Ihatemerakis
Here to help

So, I got this working. The problem was due to me not properly combining the client cert and the client key into a a .pfk file. Worked like a charm after that.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels