Found the solution for this issue after working with Meraki support. Apparently, either the Common Name or Subject Alternative Name of the SCEP cert deployed to android devices must match the outer identity configured in the Wi-Fi profile for Meraki AP to accept it. Issuing a new certificate with a different SAN and using this value as the outer identity in the Wi-Fi profile deployed by Intune, resolved the issue.
... View more
Hi Guys, I am trying to get Meraki local authentication working for Wi-Fi device with eap-tls authentication. Current topology: - Azure AD joined windows and android devices (dedicated). - SCEP certs deployed to clients. - Root cert uploaded to meraki wifi ssid with local auth enabled. - OCSP configured and test. - Wi-Fi profile getting deployed via Intune. What works: - Windows clients can successfully connect to Wi-Fi with EAP-TLS when using this setup and OCSP checks work as well. What does not work: - Android devices fail the authentication when using "anonmyous" as outer identity (identity privacy). What I have tried. - Turning off OCSP verification - Does not help. - Start a packet capture with wireshark - I can see that the client send the correct certificate to Meraki however gets a EAP failure code - trying to figure out why. Workaround I found: - When deploying the Wi-Fi configuration changing the outer identity field to the common name of the device certificate makes this authentication work. However, this is not ideal as you will need to deploy a separate profile to each device with their own cert Common name as outer identity which would be a management nightmare. Also, based on my experience the outer identity text should not matter as it is just used to create a secure tunnel to send inner identity credentials. I am looking for some help to resolve this issue. Thanks!
... View more