https://community.cisco.com/t5/wireless/local-auth-issues-with-android-devices/m-p/5466974#M291284 <P>Hi Guys,</P><P>I am trying to get Meraki local authentication working for Wi-Fi device with eap-tls authentication.</P><P>Current topology:</P><P>- Azure AD joined windows and android devices (dedicated).</P><P>- SCEP certs deployed to clients.</P><P>- Root cert uploaded to meraki wifi ssid with local auth enabled.</P><P>- OCSP configured and test.</P><P>- Wi-Fi profile getting deployed via Intune.</P><P>What works:</P><P>- Windows clients can successfully connect to Wi-Fi with EAP-TLS when using this setup and OCSP checks work as well.</P><P>What does not work:</P><P>- Android devices fail the authentication when using "anonmyous" as outer identity (identity privacy).</P><P>What I have tried.</P><P>- Turning off OCSP verification - Does not help.</P><P>- Start a packet capture with wireshark - I can see that the client send the correct certificate to Meraki however gets a EAP failure code - trying to figure out why.</P><P>Workaround I found:</P><P>- When deploying the Wi-Fi configuration changing the outer identity field to the common name of the device certificate makes this authentication work.</P><P>However, this is not ideal as you will need to deploy a separate profile to each device with their own cert Common name as outer identity which would be a management nightmare.</P><P>Also, based on my experience the outer identity text should not matter as it is just used to create a secure tunnel to send inner identity credentials.</P><P>I am looking for some help to resolve this issue.</P><P>Thanks!</P> Mon, 05 Jun 2023 14:09:11 GMT PPatel3 2023-06-05T14:09:11Z https://community.cisco.com/t5/wireless/local-auth-issues-with-android-devices/m-p/5466974#M291284 <P>Hi Guys,</P><P>I am trying to get Meraki local authentication working for Wi-Fi device with eap-tls authentication.</P><P>Current topology:</P><P>- Azure AD joined windows and android devices (dedicated).</P><P>- SCEP certs deployed to clients.</P><P>- Root cert uploaded to meraki wifi ssid with local auth enabled.</P><P>- OCSP configured and test.</P><P>- Wi-Fi profile getting deployed via Intune.</P><P>What works:</P><P>- Windows clients can successfully connect to Wi-Fi with EAP-TLS when using this setup and OCSP checks work as well.</P><P>What does not work:</P><P>- Android devices fail the authentication when using "anonmyous" as outer identity (identity privacy).</P><P>What I have tried.</P><P>- Turning off OCSP verification - Does not help.</P><P>- Start a packet capture with wireshark - I can see that the client send the correct certificate to Meraki however gets a EAP failure code - trying to figure out why.</P><P>Workaround I found:</P><P>- When deploying the Wi-Fi configuration changing the outer identity field to the common name of the device certificate makes this authentication work.</P><P>However, this is not ideal as you will need to deploy a separate profile to each device with their own cert Common name as outer identity which would be a management nightmare.</P><P>Also, based on my experience the outer identity text should not matter as it is just used to create a secure tunnel to send inner identity credentials.</P><P>I am looking for some help to resolve this issue.</P><P>Thanks!</P> Mon, 05 Jun 2023 14:09:11 GMT https://community.cisco.com/t5/wireless/local-auth-issues-with-android-devices/m-p/5466974#M291284 PPatel3 2023-06-05T14:09:11Z https://community.cisco.com/t5/wireless/local-auth-issues-with-android-devices/m-p/5466975#M291285 <P>EAP-TLS with which protocol WPA2 or WPA3?</P> Mon, 05 Jun 2023 15:26:15 GMT https://community.cisco.com/t5/wireless/local-auth-issues-with-android-devices/m-p/5466975#M291285 DainBrammage 2023-06-05T15:26:15Z https://community.cisco.com/t5/wireless/local-auth-issues-with-android-devices/m-p/5466976#M291286 <P>WAP2</P> Mon, 05 Jun 2023 17:19:15 GMT https://community.cisco.com/t5/wireless/local-auth-issues-with-android-devices/m-p/5466976#M291286 PPatel3 2023-06-05T17:19:15Z https://community.cisco.com/t5/wireless/local-auth-issues-with-android-devices/m-p/5466977#M291287 <P>Are you using an alternate management interface for RADIUS?</P> Mon, 05 Jun 2023 20:19:41 GMT https://community.cisco.com/t5/wireless/local-auth-issues-with-android-devices/m-p/5466977#M291287 DainBrammage 2023-06-05T20:19:41Z https://community.cisco.com/t5/wireless/local-auth-issues-with-android-devices/m-p/5466978#M291288 <P>Hi,</P><P>Sorry for the delayed reply. We are not using the alternate management interface.</P> Wed, 07 Jun 2023 13:43:02 GMT https://community.cisco.com/t5/wireless/local-auth-issues-with-android-devices/m-p/5466978#M291288 PPatel3 2023-06-07T13:43:02Z https://community.cisco.com/t5/wireless/local-auth-issues-with-android-devices/m-p/5466979#M291289 <P>Found the solution for this issue after working with Meraki support.</P><P>Apparently, either the Common Name or Subject Alternative Name of the SCEP cert deployed to android devices must match the outer identity configured in the Wi-Fi profile for Meraki AP to accept it. Issuing a new certificate with a different SAN and using this value as the outer identity in the Wi-Fi profile deployed by Intune, resolved the issue.</P> Tue, 20 Jun 2023 12:46:29 GMT https://community.cisco.com/t5/wireless/local-auth-issues-with-android-devices/m-p/5466979#M291289 PPatel3 2023-06-20T12:46:29Z https://community.cisco.com/t5/wireless/local-auth-issues-with-android-devices/m-p/5466980#M291290 <P>Hi - We are also trying to get this to work (exact the same topology) but not able to get this working with certificate on a WIN10 client. User auth is working well (local auth with SLDAP AAD). Meraki AP is showing a problem with the internal Radius of the MR:</P><P>Client failed 802.1X authentication to the RADIUS server.<SPAN class=""> auth_mode='wpa2-802.1x' radius_proto='ipv4' radius_ip='127.0.0.1' reason='radius_login_failure' radio='1' vap='0' channel='44' rssi='47'</SPAN></P><P><SPAN class="">and</SPAN></P><P><SPAN class="">Client made an 802.1X authentication request to the RADIUS server, but it did not respond. auth_mode='wpa2-802.1x' radius_proto='ipv4' radius_ip='127.0.0.1' details='conn_refused' reason='radius_timeout' radio='1' vap='0' channel='44' rssi='48'</SPAN></P><P><SPAN class="">At this point meraki support is looking in to this problem but for now no sollution yet. We have tested with a MR33 and <SPAN class="">CW9166I</SPAN> accespoint. MB we are doing some wrong configuration (followed this reference <A href="https://documentation.meraki.com/MR/Encryption_and_Authentication/Meraki_Local_Authentication_-_MR_802.1X" target="_blank" rel="noopener nofollow noreferrer">https://documentation.meraki.com/MR/Encryption_and_Authentication/Meraki_Local_Authentication_-_MR_802.1X</A>)</SPAN></P><P>Is it possible that you can share some configuration to check if we have the correct setup.</P><P>Thanks in advance - PietK</P> Thu, 14 Sep 2023 15:27:20 GMT https://community.cisco.com/t5/wireless/local-auth-issues-with-android-devices/m-p/5466980#M291290 theob 2023-09-14T15:27:20Z https://community.cisco.com/t5/wireless/local-auth-issues-with-android-devices/m-p/5466981#M291291 <P>Hi, we just resolved this issue. <BR />Solution : Install the IdenTrust Root CA 1 certificate on your end devices.<BR />Please refer to : : <A href="https://documentation.meraki.com/MR/Encryption_and_Authentication/Meraki_Local_Authentication_-_MR_802.1X" target="_blank" rel="nofollow noopener noreferrer">https://documentation.meraki.com/MR/Encryption_and_Authentication/Meraki_Local_Authentication_-_MR_802.1X</A></P><P><SPAN class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Auth. configuration-2.JPG" style="width: 828px;"><span class="lia-inline-image-display-wrapper" image-alt="image.jpeg"><img src="https://community.cisco.com/t5/image/serverpage/image-id/271506i8BA6EEDF7AF07246/image-size/large?v=v2&amp;px=999" role="button" title="image.jpeg" alt="image.jpeg" /></span></SPAN></P> Fri, 15 Sep 2023 13:22:23 GMT https://community.cisco.com/t5/wireless/local-auth-issues-with-android-devices/m-p/5466981#M291291 bdcvc 2023-09-15T13:22:23Z