Meraki

VIMASSIVE · ‎Apr 18 2025

I’m planning a Local Auth with Password between my Windows Server and Meraki Mr-36
What I understand so far is that I’ll have to create a CSR from the windows server and then present that CSR to GoDaddy to purchase the certificate.

I explained to the Godaddy rep what I need and asked which certificate type should I purchase.
The recommendation was a UCC Certificate but this cost was about $250 per year. I don’t really want to spend that much but I also don’t want to use a self-signed certificate.

I have one domain in my forest – servername.mydomain.com

Would a standard certificate work in this situation? or do I need the UCC?

KarstenI · ‎Apr 19 2025

The implicit trust you refer to is only valid for browsers, but not for 802.1X. Here, the trust comes from either explicit configuration through an MDM, GPOs, or config-files (i.e., mobileconfig on Apple devices) or TOFU (Trust on First Use). You can use a public cert for this, but it won't give your clients any trust. Just think that any holder of a public cert would be trusted. Anyone could impose a RADIUS server role. The public cert won't give you any benefit for this use case.

The cert is used between the Client and the EAP Authentication Server, which is typically the company's RADIUS server. However, with local auth, the AP takes this role.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

View solution in original post

KarstenI · ‎Apr 19 2025

Given that your clients are all managed by yourself, you can generate a CA on your own and build a certificate with that. You don't need a public certificate. My recommendation would be https://smallstep.com/product/wifi/

They also have a free version.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

VIMASSIVE · ‎Apr 19 2025

Hi Karsteni, grateful for the input.

I'm going to be creating Multiple ssid. One of the ssid would not have LAN access and would allow members of the organization to connect personal phones and tablets (BYOD). I read that the clients needed to be able trust the certificate so a public certificate from a reputable Certificate Authority is needed in this scenario? Do you agree?

I'm trying to understand, After i upload a certificate the MR-36 does the certificate only play a part between the Server and Access point or between the server, access point and clients?

KarstenI · ‎Apr 19 2025

The implicit trust you refer to is only valid for browsers, but not for 802.1X. Here, the trust comes from either explicit configuration through an MDM, GPOs, or config-files (i.e., mobileconfig on Apple devices) or TOFU (Trust on First Use). You can use a public cert for this, but it won't give your clients any trust. Just think that any holder of a public cert would be trusted. Anyone could impose a RADIUS server role. The public cert won't give you any benefit for this use case.

The cert is used between the Client and the EAP Authentication Server, which is typically the company's RADIUS server. However, with local auth, the AP takes this role.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

Meraki

Community

MR-36 | What certificate type do I need?

MR-36 | What certificate type do I need?