I am looking into deploying wireless network with LDAP authentication. Meraki supports "Local Auth" where RADIUS service runs inside access point. When client authenticates to WIFI then RADIUS in AP will accept credentials and AP will communicate directly to domain controller over LDAP to check credentials. https://documentation.meraki.com/MR/Encryption_and_Authentication/Meraki_Local_Authentication_-_MR_802.1X My issue is that as RADIUS runs inside access point certificate presented to client when they connect to WIFI is presented by access point. Meraki has designed every access point to present it's own certificate (even if same SSID is used across all APs). So when client connects to WIFI and then roams to coverage area of other access point then wireless stops working and user needs to log into WIFI again. This means that any time you have more than 1 access point you can't use Local Auth and only way is to use dedicated RADIUS server. Even link I pasted above says that it is like this by design: "When using 802.1X - Local auth, each AP uses it's own RADIUS server certificate to authenticate client. Every time a client connects to an AP, it receives the AP's RADIUS server certificate and if the client trusts it, it sends its credentials or its own certificate to be authenticated. The client must trust each AP's RADIUS server certificate on the network?" This design seems to be so dumb. Why can't certificate be SSID based? Any thoughts?
... View more