MR TLS Support for RADIUS

ZedGama3
Comes here often

MR TLS Support for RADIUS

Is there a list of supported TLS versions for MR devices?

 

I have a mixed environment of MR18, 32, and 53 devices.  After migrating to Windows Server 2019 I found that RADIUS wasn't working for the 18 and 32 APs and was finally able to pin it down to TLS 1.0 having been disabled - reenabling it allowed the MR 18 and 32 devices to connect, the 53 APs didn't have any issues and appear to be negotiating TLS 1.2.

 

At first, I thought that the older firmware versions didn't support TLS 1.2, but then I found an article in the community stating that they didn't have a problem disabling TLS 1.0 on their server.  Also, there is no mention of adding TLS 1.2 support in the change log and I find it difficult to believe that a firmware version released earlier this year wouldn't be able to negotiate TLS 1.2.

 

I've contacted Meraki support and was told that this is "outside the scope of Meraki support".

 

Related thread:
https://community.meraki.com/t5/Wireless-LAN/MR53-Issues-When-Disabling-TLS-1-0/m-p/17735

 

3 Replies 3
CptnCrnch
Kind of a big deal
Kind of a big deal

Maybe I‘m completely missing something here, but RADIUS as the Protocol Sporen between NAD and authentication Server itself doesn‘t have any relation to TLS.

 

Are your referring to specific authentification methods like EAP-TLS? Or are you using RADIUS DTLS between MR and your RADIUS server (if so, I didn‘t even know that this is supported on MR).

 

EDIT: I‘ve finally taken a look at the link provided. This is then purely related to your authentication method spoken between your endpoint and your „RADIUS server“. Both agree on specific parameters for authentication, but a network device posing as a „proxy“ between them doesn‘t have anything to do with that. It simply „translates“ Layer 2-based EAP to Layer 3-based RADIUS.

 

Meraki support is completely right by saying that this is outside the scope of their support. Sorry to say that, but ditching NPS and switching to a real RADIUS server has helped a lot of our customers to have a decent nights‘ sleep. 😉

PhilipDAth
Kind of a big deal
Kind of a big deal

It sounds like the clients you are using are too old to support TLSv1.2, or don't have it enabled.  You need to look at them, not the Meraki kit in this case.

JonathanFourie
Here to help

.

Get notified when there are additional replies to this discussion.