Meraki

Community

Wireless Authentication with Certificate Only Failure

Danimax01
Conversationalist
‎Jan 12 2024 5:10 AM
‎Jan 12 2024 5:10 AM

Wireless Authentication with Certificate Only Failure

We are trying to setup wireless authentication using certificate alone and configured the SSID access control according to this article 

https://documentation.meraki.com/MR/Encryption_and_Authentication/Meraki_Local_Authentication_-_MR_8...

 

This is the resulting setting for us

 

Danimax01_0-1705064756103.png

 

 

We want to use only certificate to authenticate and use the in-built radius server in Meraki AP because we don't have any on-premise infrastructure at all.

 

Whenever laptop try to connect to the SSID, they get prompted for username and passowrd, even though the certificate has been deployed on the  laptop and the connection fails with error Failed authentication EAP Failure.

 

Why is it prompting user for username and password eventhough we enabled only certificate authentication and disabled password authentication.

 

Any help or suggestion will be appreciated.

Labels:
10 Replies 10
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jan 12 2024 5:17 AM
‎Jan 12 2024 5:17 AM

Ensure that the certificate is correctly configured on the client devices. The certificate should be installed in the correct certificate store on the device.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Danimax01
Conversationalist
‎Jan 12 2024 5:26 AM
‎Jan 12 2024 5:26 AM

The certificate are installed on Personal store for both local computer and current user.

 

The Iden Trust root CA is installed on Trusted Root CA Store

0 Kudos
In response to Danimax01
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jan 12 2024 5:29 AM
‎Jan 12 2024 5:29 AM

Take a look at the documentation.

 

https://documentation.meraki.com/MR/Encryption_and_Authentication/Meraki_Local_Authentication_-_MR_8...

 

I suggest that if the documentation doesn't help you open a support case.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Danimax01
Conversationalist
‎Jan 12 2024 5:31 AM
‎Jan 12 2024 5:31 AM

I reference the doc already.

 

Question:

Is the SSID still meant to prompt for username and password even though i enabled only certificate authentication?

0 Kudos
In response to Danimax01
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jan 12 2024 5:50 AM
‎Jan 12 2024 5:50 AM

Theoretically it wasn't.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Danimax01
Conversationalist
‎Jan 12 2024 6:02 AM
‎Jan 12 2024 6:02 AM

Thank you for your contribution.

 

i will open a support case.

0 Kudos
In response to Danimax01
BPS
Comes here often
‎Aug 13 2024 10:32 AM
‎Aug 13 2024 10:32 AM

any luck? I'm having the same issues with the same setup

0 Kudos
KarstenI
Kind of a big deal
Kind of a big deal
‎Jan 12 2024 1:55 PM
‎Jan 12 2024 1:55 PM

It is normal to see a request for username and password if there is no WLAN profile configured on the client. The client doesn’t have any knowledge if the System wants username/password or a certificate. But when choosing EAP-TLS at least the password request should go away. At least this is how it works for me.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
In response to KarstenI
GIdenJoe
Kind of a big deal
Kind of a big deal
‎Jan 14 2024 3:59 AM
‎Jan 14 2024 3:59 AM

^ This ^ .  Your client has to be configured to use EAP-TLS instead of EAP-PEAP and does have to know what cert to use for user auth.

0 Kudos
In response to GIdenJoe
SPCHO
Just browsing
‎Feb 16 2024 2:40 AM
‎Feb 16 2024 2:40 AM

Hi @GIdenJoe 

 

Can you tell me how you set up the profile?

 

I created an SSID and exported the root certificate from my client certificate and uploaded it as a PEM in the dashboard.

I set up the WLAN profile as described here at Cisco (only the section for the profile): https://www.cisco.com/c/de_de/support/docs/wireless-mobility/wireless-lan-wlan/213543-configure-eap-...

 

However, a connection is still not possible.


The event log in the dashboard only shows "802.1X Failed authentication (EAP failure)".

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.