Question about SCEP Certificates and multiple SSIDs across different networks


Question about SCEP Certificates and multiple SSIDs across different networks

Hey everyone!


We're a mostly Meraki house currently in the process of phasing out our old switching infrastructure. We've rolled out Meraki APs to our newest 5 buildings, all of which have their own Meraki networks set up for them. We have just started using Systems Manager Sentry WiFi for authentication in 4 of those buildings/networks. All 4 buildings have different SSIDs, but they all use SM Sentry WiFi for their (unique) SSIDs.


We've set up the tags for the devices we want to be able to connect. All 4 buildings have their SM Sentry WiFi auth settings using Meraki Cloud Authentication, with the network and tag involved being the same across all SSIDs (For example, all SSIDs should authenticate with devices in the the "Staff" SM network, which have the "Portable" tag.) All devices tagged in this manner are Windows 10 devices.


It's been working without much issue until yesterday. As of yesterday, the properly tagged devices will ask the user which certificate they want to use to authenticate to the SSID. After the user picks "SCEP WiFi Certificate for XXXX....", the authentication is denied. As with most Windows WiFi profiles, the ability to use 'Simple Certificate Selection' is on by default.


In troubleshooting, I noticed that my laptop (one of the affected devices) had 5 different SCEP certificates from Meraki in my user certificate store. I deleted all the certificates, hard-wired my laptop, and forced the SM Sentry WiFi profile settings to download again in System Manager. After that, the authentication process asks which certificate to use again, but the authentication goes through. After forcing one profile (the one in my building), I have two SCEP certificates, and after forcing the other profiles, I have a total of three. 

My question is this: How many SCEP Certificates should I have in my personal cert store from Meraki when using Sentry WiFi to connect at multiple buildings/networks? Is there a way to keep Windows from getting confused about which SCEP Certificate is the right one for its associated SSID? Or am I mis-placing the problem, and there's actually something else that's the real root of the problem? 


I've been looking through as much documentation (Both Meraki and Windows) as I can, but maybe my google-fu is lacking. If someone can point me to some documentation that helps answer my question, that would also be appreciated.


Thanks for any ideas you may have.

0 Replies 0
Get notified when there are additional replies to this discussion.