Wireless Authentication with Certificate Only Failure

Danimax01
Conversationalist

Wireless Authentication with Certificate Only Failure

We are trying to setup wireless authentication using certificate alone and configured the SSID access control according to this article 

https://documentation.meraki.com/MR/Encryption_and_Authentication/Meraki_Local_Authentication_-_MR_8...

 

This is the resulting setting for us

 

Danimax01_0-1705064756103.png

 

 

We want to use only certificate to authenticate and use the in-built radius server in Meraki AP because we don't have any on-premise infrastructure at all.

 

Whenever laptop try to connect to the SSID, they get prompted for username and passowrd, even though the certificate has been deployed on the  laptop and the connection fails with error Failed authentication EAP Failure.

 

Why is it prompting user for username and password eventhough we enabled only certificate authentication and disabled password authentication.

 

Any help or suggestion will be appreciated.

10 Replies 10
alemabrahao
Kind of a big deal
Kind of a big deal

Ensure that the certificate is correctly configured on the client devices. The certificate should be installed in the correct certificate store on the device.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Danimax01
Conversationalist

The certificate are installed on Personal store for both local computer and current user.

 

The Iden Trust root CA is installed on Trusted Root CA Store

alemabrahao
Kind of a big deal
Kind of a big deal

Take a look at the documentation.

 

https://documentation.meraki.com/MR/Encryption_and_Authentication/Meraki_Local_Authentication_-_MR_8...

 

I suggest that if the documentation doesn't help you open a support case.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Danimax01
Conversationalist

I reference the doc already.

 

Question:

Is the SSID still meant to prompt for username and password even though i enabled only certificate authentication?

alemabrahao
Kind of a big deal
Kind of a big deal

Theoretically it wasn't.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Danimax01
Conversationalist

Thank you for your contribution.

 

i will open a support case.

BPS
Comes here often

any luck? I'm having the same issues with the same setup

KarstenI
Kind of a big deal
Kind of a big deal

It is normal to see a request for username and password if there is no WLAN profile configured on the client. The client doesn’t have any knowledge if the System wants username/password or a certificate. But when choosing EAP-TLS at least the password request should go away. At least this is how it works for me.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
GIdenJoe
Kind of a big deal
Kind of a big deal

^ This ^ .  Your client has to be configured to use EAP-TLS instead of EAP-PEAP and does have to know what cert to use for user auth.

SPCHO
Just browsing

Hi @GIdenJoe 

 

Can you tell me how you set up the profile?

 

I created an SSID and exported the root certificate from my client certificate and uploaded it as a PEM in the dashboard.

I set up the WLAN profile as described here at Cisco (only the section for the profile): https://www.cisco.com/c/de_de/support/docs/wireless-mobility/wireless-lan-wlan/213543-configure-eap-...

 

However, a connection is still not possible.


The event log in the dashboard only shows "802.1X Failed authentication (EAP failure)".

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels