Although Meraki connects over port 389 it is not clear text LDAP. It will try to negotiate secure connection it means that LDAP server needs to present certificate and Meraki needs to trust it. I pointed Meraki directly to AD domain controller as 2FA was not needed for WiFi.   After it was clear that Meraki built in LDAP auth is not usable if there is more than 1 AP in the environment I started looking into deploying dedicated RADIUS server. Initially wanted to use Freeradius but Meraki don't support sending user credentials to RADIUS to perform LDAP binding (it only supports challenge handshake) I took simple path and used domain joined Windows server with NPS service to perform RADIUS to LDAP authentication and it finally works as needed.   Challenge handshake don't work with LDAP binding. http://deployingradius.com/documents/protocols/oracles.html ... View more