https://community.cisco.com/t5/wireless/wireless-authentication-with-certificate-only-failure/m-p/5486626#M296862 <P>Take a look at the documentation.</P><P><A href="https://documentation.meraki.com/MR/Encryption_and_Authentication/Meraki_Local_Authentication_-_MR_802.1X" target="_blank" rel="nofollow noopener noreferrer">https://documentation.meraki.com/MR/Encryption_and_Authentication/Meraki_Local_Authentication_-_MR_802.1X</A></P><P>I suggest that if the documentation doesn't help you open a support case.</P> Fri, 12 Jan 2024 13:29:20 GMT aleabrahao 2024-01-12T13:29:20Z https://community.cisco.com/t5/wireless/wireless-authentication-with-certificate-only-failure/m-p/5486623#M296859 <P>We are trying to setup wireless authentication using certificate alone and configured the SSID access control according to this article </P><P><A href="https://documentation.meraki.com/MR/Encryption_and_Authentication/Meraki_Local_Authentication_-_MR_802.1X" target="_blank" rel="noopener nofollow noreferrer">https://documentation.meraki.com/MR/Encryption_and_Authentication/Meraki_Local_Authentication_-_MR_802.1X</A></P><P>This is the resulting setting for us</P><P><SPAN class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Danimax01_0-1705064756103.png" style="width: 400px;"><span class="lia-inline-image-display-wrapper" image-alt="image.png"><img src="https://community.cisco.com/t5/image/serverpage/image-id/273173i8E3426837AAFF66B/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></SPAN></P><P>We want to use only certificate to authenticate and use the in-built radius server in Meraki AP because we don't have any on-premise infrastructure at all.</P><P>Whenever laptop try to connect to the SSID, they get prompted for username and passowrd, even though the certificate has been deployed on the laptop and the connection fails with error Failed authentication EAP Failure.</P><P>Why is it prompting user for username and password eventhough we enabled only certificate authentication and disabled password authentication.</P><P>Any help or suggestion will be appreciated.</P> Fri, 12 Jan 2024 13:10:41 GMT https://community.cisco.com/t5/wireless/wireless-authentication-with-certificate-only-failure/m-p/5486623#M296859 danimax01 2024-01-12T13:10:41Z https://community.cisco.com/t5/wireless/wireless-authentication-with-certificate-only-failure/m-p/5486624#M296860 <P>Ensure that the certificate is correctly configured on the client devices. The certificate should be installed in the correct certificate store on the device.</P> Fri, 12 Jan 2024 13:17:08 GMT https://community.cisco.com/t5/wireless/wireless-authentication-with-certificate-only-failure/m-p/5486624#M296860 aleabrahao 2024-01-12T13:17:08Z https://community.cisco.com/t5/wireless/wireless-authentication-with-certificate-only-failure/m-p/5486625#M296861 <P>The certificate are installed on Personal store for both local computer and current user.</P><P>The Iden Trust root CA is installed on Trusted Root CA Store</P> Fri, 12 Jan 2024 13:26:43 GMT https://community.cisco.com/t5/wireless/wireless-authentication-with-certificate-only-failure/m-p/5486625#M296861 danimax01 2024-01-12T13:26:43Z https://community.cisco.com/t5/wireless/wireless-authentication-with-certificate-only-failure/m-p/5486626#M296862 <P>Take a look at the documentation.</P><P><A href="https://documentation.meraki.com/MR/Encryption_and_Authentication/Meraki_Local_Authentication_-_MR_802.1X" target="_blank" rel="nofollow noopener noreferrer">https://documentation.meraki.com/MR/Encryption_and_Authentication/Meraki_Local_Authentication_-_MR_802.1X</A></P><P>I suggest that if the documentation doesn't help you open a support case.</P> Fri, 12 Jan 2024 13:29:20 GMT https://community.cisco.com/t5/wireless/wireless-authentication-with-certificate-only-failure/m-p/5486626#M296862 aleabrahao 2024-01-12T13:29:20Z https://community.cisco.com/t5/wireless/wireless-authentication-with-certificate-only-failure/m-p/5486627#M296863 <P>I reference the doc already.</P><P>Question:</P><P>Is the SSID still meant to prompt for username and password even though i enabled only certificate authentication?</P> Fri, 12 Jan 2024 13:31:44 GMT https://community.cisco.com/t5/wireless/wireless-authentication-with-certificate-only-failure/m-p/5486627#M296863 danimax01 2024-01-12T13:31:44Z https://community.cisco.com/t5/wireless/wireless-authentication-with-certificate-only-failure/m-p/5486628#M296864 <P>Theoretically it wasn't.</P> Fri, 12 Jan 2024 13:50:53 GMT https://community.cisco.com/t5/wireless/wireless-authentication-with-certificate-only-failure/m-p/5486628#M296864 aleabrahao 2024-01-12T13:50:53Z https://community.cisco.com/t5/wireless/wireless-authentication-with-certificate-only-failure/m-p/5486629#M296865 <P>Thank you for your contribution.</P><P>i will open a support case.</P> Fri, 12 Jan 2024 14:02:33 GMT https://community.cisco.com/t5/wireless/wireless-authentication-with-certificate-only-failure/m-p/5486629#M296865 danimax01 2024-01-12T14:02:33Z https://community.cisco.com/t5/wireless/wireless-authentication-with-certificate-only-failure/m-p/5486630#M296866 <P>It is normal to see a request for username and password if there is no WLAN profile configured on the client. The client doesn’t have any knowledge if the System wants username/password or a certificate. But when choosing EAP-TLS at least the password request should go away. At least this is how it works for me.</P> Fri, 12 Jan 2024 21:55:42 GMT https://community.cisco.com/t5/wireless/wireless-authentication-with-certificate-only-failure/m-p/5486630#M296866 Karsten Iwen 2024-01-12T21:55:42Z https://community.cisco.com/t5/wireless/wireless-authentication-with-certificate-only-failure/m-p/5486631#M296867 <P>^ This ^ . Your client has to be configured to use EAP-TLS instead of EAP-PEAP and does have to know what cert to use for user auth.</P> Sun, 14 Jan 2024 11:59:21 GMT https://community.cisco.com/t5/wireless/wireless-authentication-with-certificate-only-failure/m-p/5486631#M296867 joey.debra 2024-01-14T11:59:21Z https://community.cisco.com/t5/wireless/wireless-authentication-with-certificate-only-failure/m-p/5486632#M296868 <P>Hi <A href="https://community.meraki.com/t5/user/viewprofilepage/user-id/15353">@joey.debra</A> </P><P>Can you tell me how you set up the profile?</P><P>I created an SSID and exported the root certificate from my client certificate and uploaded it as a PEM in the dashboard.</P><P>I set up the WLAN profile as described here at Cisco (only the section for the profile): <A href="https://www.cisco.com/c/de_de/support/docs/wireless-mobility/wireless-lan-wlan/213543-configure-eap-tls-flow-with-ise.html#toc-hId-408191516" target="_blank" rel="nofollow noopener noreferrer">https://www.cisco.com/c/de_de/support/docs/wireless-mobility/wireless-lan-wlan/213543-configure-eap-tls-flow-with-ise.html#toc-hId-408191516</A></P><P>However, a connection is still not possible.</P><P><BR />The event log in the dashboard only shows "802.1X Failed authentication (EAP failure)".</P> Fri, 16 Feb 2024 10:40:31 GMT https://community.cisco.com/t5/wireless/wireless-authentication-with-certificate-only-failure/m-p/5486632#M296868 SPCHO 2024-02-16T10:40:31Z https://community.cisco.com/t5/wireless/wireless-authentication-with-certificate-only-failure/m-p/5486633#M296869 <P>any luck? I'm having the same issues with the same setup</P> Tue, 13 Aug 2024 17:32:36 GMT https://community.cisco.com/t5/wireless/wireless-authentication-with-certificate-only-failure/m-p/5486633#M296869 carl.slater 2024-08-13T17:32:36Z