Meraki

Community

MX vs. MR RADIUS WiFI question

Solved
thrtnastrx1
New here
‎Jun 4 2020 10:29 AM
‎Jun 4 2020 10:29 AM

MX vs. MR RADIUS WiFI question

I have some sites with MX64W's configured with one SSID, authentication to "My RADIUS server", and I have other sites with MS series configured with one SSID, authentication to "My RADIUS server" (both using the same server IP/port).  

 

Using a Windows 10 laptop, domain joined, certificate from internal Enterprise CA, 

 

When connecting to the MX wireless, left click on the network icon on the taskbar, I see the SSID, select it and "connect', the "Enter your user name and password" appears along with a link to "Connect using a certificate".  I choose certificate, select the cert, and it connects.

 

When connecting to the MS wireless, left click on the network icon on the taskbar, I see the SSID, select it and "connect', the "Enter your user name and password" appears but there is no option to "Connect using a certificate", using the same Windows 10 laptop.

 

So everything is the same except for the Meraki hardware.  How can I provide the same experience (provide the option "Connect using a certificate" to the users?

0 Kudos
1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jun 4 2020 11:20 AM
‎Jun 4 2020 11:20 AM

Those options are controlled by what the RADIUS server presents as allowed options to the machine.  Those options are transported inside of a PEAP packet, which is encrypted - so the AP doesn't know what you are offered or negotiate.

This is assuming you are using PEAP with MSCHAPv2 and PEAP with EAP-TLS.

 

Take a closer look at your RADIUS server config, and check the policies that are being matched in both cases.  More than likely it is matching different policies.

View solution in original post

2 Replies 2
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jun 4 2020 11:20 AM
‎Jun 4 2020 11:20 AM

Those options are controlled by what the RADIUS server presents as allowed options to the machine.  Those options are transported inside of a PEAP packet, which is encrypted - so the AP doesn't know what you are offered or negotiate.

This is assuming you are using PEAP with MSCHAPv2 and PEAP with EAP-TLS.

 

Take a closer look at your RADIUS server config, and check the policies that are being matched in both cases.  More than likely it is matching different policies.

In response to PhilipDAth
thrtnastrx1
New here
‎Jun 4 2020 2:36 PM
‎Jun 4 2020 2:36 PM

Yes you were exactly correct, they were matching different policies.  

 

Thank you for the suggestion!

li.common.scroll-to.top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.