Thank you. Is RADIUS or LDAP server needed for EAP-TLS(cert based) auth or Meraki can handle this locally without being dependent on the RADIUS or LDAP server?

You can configure EAP-TLS Wireless Authentication with Systems Manager, but you need the license for SM.

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Configuring_EAP-TLS_W...

Thanks but we have our own MDM solution so Systems Manager is not an option. I am only interested in local cert-based auth but wanted to confirm if we can do this without using the RADIUS server or LDAP. 

Note: An external RADIUS server is not involved in this process and is not needed. The RADIUS server on the MR will handle 802.1X authentication instead.

If certificate-based authentication is used, the MR will additionally check that the provided username matches either the CN or userPrincipalName in the certificate, since the username would otherwise be unauthenticated.

So, LDAP server is required.

You are just copying & pasting from the document which I have already read. This is why I am asking here so someone could help clarify in layman's terms. It's not helping at all. 

If certificate-based authentication is used, the MR will additionally check that the provided username matches either the CN or userPrincipalName in the certificate, since the username would otherwise be unauthenticated.

--> is this optional or mandatory? 

Well, in my opinion the documentation is enough to understand, and yes It's mandatory.

Where does it say it is mandatory? That's where I am confused. 

when I go to my SSID in the Meraki dashboard and change auth to local and select Cert auth. LDAP & OSCP looks like they are optional. 

I think it's clear right?

Yes, I can go ahead and upload the CA root cert. But my question is do we still need the LDAP server?

If you are in doubt wouldn't it be easier to perform a test?

When a wireless client successfully authenticates, the MR access stores a hash of the password used to authenticate, so if the connection to the LDAP server is lost, the MR can still authenticate wireless clients based on their last known good password. This hash is also accessible by other APs in the network because the client may connect to a different AP than where its last known password is stored.

For me it does not make sense but, ok.

Otherwise, leave the LDAP option set to Do not verify certificate with LDAP. Note that in this case, any wireless device that presents a valid certificate will be able to connect to the SSID regardless of the permissions set for that device/user.

I agree with the OP here, this is ambiguous. The documentation does suggest it's mandatory to use LDAP, but if that is the case why does the configuration allow you to have LDAP checks turned off when certificate authentication is enabled? It's either poor documentation, or poor UI checks.