Re: Wireless Authentication with Certificate Only Failure

danimax01 · ‎01-12-2024

We are trying to setup wireless authentication using certificate alone and configured the SSID access control according to this article

https://documentation.meraki.com/MR/Encryption_and_Authentication/Meraki_Local_Authentication_-_MR_802.1X

This is the resulting setting for us

We want to use only certificate to authenticate and use the in-built radius server in Meraki AP because we don't have any on-premise infrastructure at all.

Whenever laptop try to connect to the SSID, they get prompted for username and passowrd, even though the certificate has been deployed on the laptop and the connection fails with error Failed authentication EAP Failure.

Why is it prompting user for username and password eventhough we enabled only certificate authentication and disabled password authentication.

Any help or suggestion will be appreciated.

aleabrahao · ‎01-12-2024

Ensure that the certificate is correctly configured on the client devices. The certificate should be installed in the correct certificate store on the device.

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

danimax01 · ‎01-12-2024

The certificate are installed on Personal store for both local computer and current user.

The Iden Trust root CA is installed on Trusted Root CA Store

aleabrahao · ‎01-12-2024

Take a look at the documentation.

https://documentation.meraki.com/MR/Encryption_and_Authentication/Meraki_Local_Authentication_-_MR_802.1X

I suggest that if the documentation doesn't help you open a support case.

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

danimax01 · ‎01-12-2024

I reference the doc already.

Question:

Is the SSID still meant to prompt for username and password even though i enabled only certificate authentication?

aleabrahao · ‎01-12-2024

Theoretically it wasn't.

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

danimax01 · ‎01-12-2024

Thank you for your contribution.

i will open a support case.

carl.slater · ‎08-13-2024

any luck? I'm having the same issues with the same setup

Karsten Iwen · ‎01-12-2024

It is normal to see a request for username and password if there is no WLAN profile configured on the client. The client doesn’t have any knowledge if the System wants username/password or a certificate. But when choosing EAP-TLS at least the password request should go away. At least this is how it works for me.

--
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

joey.debra · ‎01-14-2024

^ This ^ . Your client has to be configured to use EAP-TLS instead of EAP-PEAP and does have to know what cert to use for user auth.

SPCHO · ‎02-16-2024

Hi @joey.debra

Can you tell me how you set up the profile?

I created an SSID and exported the root certificate from my client certificate and uploaded it as a PEM in the dashboard.

I set up the WLAN profile as described here at Cisco (only the section for the profile): https://www.cisco.com/c/de_de/support/docs/wireless-mobility/wireless-lan-wlan/213543-configure-eap-tls-flow-with-ise.html#toc-hId-408191516

However, a connection is still not possible.

The event log in the dashboard only shows "802.1X Failed authentication (EAP failure)".