Meraki

Community

Meraki Local Authentication - Which cert to upload

RLNG
Getting noticed
‎Mar 14 2023 6:11 AM
‎Mar 14 2023 6:11 AM

Meraki Local Authentication - Which cert to upload

We are looking into this option & use Meraki as an Authentication server for Cert-based auths (EAP-TLS) instead of the RADIUS server without enabling any connection to LDAP or OSCP. 

 

When I enable Certificate authentication, it asks to upload "Client Certificate CA". 

(Step 7. Upload the Client Certificate CA certificate used to sign the client certificate in a form of a PEM or DER file.)

 

What exactly is this cert?

is it a root cert from our internal CA?

 

I am not all that familiar with certs so wanted to clarify. 

 

https://documentation.meraki.com/MR/Encryption_and_Authentication/Meraki_Local_Authentication_-_MR_8...

Labels:
0 Kudos
11 Replies 11
alemabrahao
Kind of a big deal
Kind of a big deal
‎Mar 14 2023 7:04 AM
‎Mar 14 2023 7:04 AM

 Requirements

  • All MR access points in the Network must be running MR 27.1+ firmware*

  • An admin account credential for the LDAP server with read-only permissions has to be input as part of dashboard configuration 

  • If an Active Directory-based LDAP server is used, it must support an LDAP bind operation

  • The LDAP server must support STARTTLS

  • CA certificate used to sign the LDAP server's private key must be uploaded to the dashboard. This certificate is used by an MR to verify the authenticity of the LDAP server.

  • The LDAP server’s certificate must have a subjectAltName field that matches the Host address configured on the dashboard (either IP address or FQDN)

  • Wireless clients must trust the certificate presented by the MR which is signed by a well-known Certification Authority QuoVadis for the purposes of validation of the MR for certificate-based authentication.

https://documentation.meraki.com/MR/Encryption_and_Authentication/Meraki_Local_Authentication_-_MR_8...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
RLNG
Getting noticed
‎Mar 14 2023 7:48 AM
‎Mar 14 2023 7:48 AM

Thank you. Is RADIUS or LDAP server needed for EAP-TLS(cert based) auth or Meraki can handle this locally without being dependent on the RADIUS or LDAP server?

0 Kudos
In response to RLNG
alemabrahao
Kind of a big deal
Kind of a big deal
‎Mar 14 2023 8:18 AM
‎Mar 14 2023 8:18 AM

You can configure EAP-TLS Wireless Authentication with Systems Manager, but you need the license for SM.

 

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Configuring_EAP-TLS_W...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
RLNG
Getting noticed
‎Mar 14 2023 8:32 AM
‎Mar 14 2023 8:32 AM

Thanks but we have our own MDM solution so Systems Manager is not an option. I am only interested in local cert-based auth but wanted to confirm if we can do this without using the RADIUS server or LDAP. 

0 Kudos
In response to RLNG
alemabrahao
Kind of a big deal
Kind of a big deal
‎Mar 14 2023 8:49 AM
‎Mar 14 2023 8:49 AM

Note: An external RADIUS server is not involved in this process and is not needed. The RADIUS server on the MR will handle 802.1X authentication instead.

 

If certificate-based authentication is used, the MR will additionally check that the provided username matches either the CN or userPrincipalName in the certificate, since the username would otherwise be unauthenticated.

 

So, LDAP server is required.

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
RLNG
Getting noticed
‎Mar 14 2023 11:07 AM
‎Mar 14 2023 11:07 AM

You are just copying & pasting from the document which I have already read. This is why I am asking here so someone could help clarify in layman's terms. It's not helping at all. 

 

If certificate-based authentication is used, the MR will additionally check that the provided username matches either the CN or userPrincipalName in the certificate, since the username would otherwise be unauthenticated.

--> is this optional or mandatory? 

0 Kudos
In response to RLNG
alemabrahao
Kind of a big deal
Kind of a big deal
‎Mar 14 2023 11:36 AM
‎Mar 14 2023 11:36 AM

Well, in my opinion the documentation is enough to understand, and yes It's mandatory.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
RLNG
Getting noticed
‎Mar 14 2023 12:23 PM
‎Mar 14 2023 12:23 PM

Where does it say it is mandatory? That's where I am confused. 

when I go to my SSID in the Meraki dashboard and change auth to local and select Cert auth. LDAP & OSCP looks like they are optional. 

0 Kudos
In response to RLNG
alemabrahao
Kind of a big deal
Kind of a big deal
‎Mar 14 2023 12:39 PM
‎Mar 14 2023 12:39 PM

alemabrahao_0-1678822676492.png

 

 

alemabrahao_1-1678822708121.png

 

 

I think it's clear right?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
RLNG
Getting noticed
‎Mar 14 2023 1:33 PM
‎Mar 14 2023 1:33 PM

Yes, I can go ahead and upload the CA root cert. But my question is do we still need the LDAP server?

0 Kudos
In response to RLNG
alemabrahao
Kind of a big deal
Kind of a big deal
‎Mar 14 2023 3:20 PM
‎Mar 14 2023 3:20 PM

If you are in doubt wouldn't it be easier to perform a test?

 

When a wireless client successfully authenticates, the MR access stores a hash of the password used to authenticate, so if the connection to the LDAP server is lost, the MR can still authenticate wireless clients based on their last known good password. This hash is also accessible by other APs in the network because the client may connect to a different AP than where its last known password is stored.

 

For me it does not make sense but, ok.

 

Otherwise, leave the LDAP option set to Do not verify certificate with LDAP. Note that in this case, any wireless device that presents a valid certificate will be able to connect to the SSID regardless of the permissions set for that device/user.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2025 Cisco Systems, Inc.