Meraki Authentication Server Certificate Rotation (23 Oct 2017)
Overview
Due to an approaching certificate expiration and an incompatibility with Apple's iOS 11 which prevented client associations, Meraki rotated the RADIUS server certificate for Meraki Authentication on 23 October 2017. The following is the expected impact and remediation steps for potential issues.
Meraki Authentication with Sentry Wifi
Users of Meraki Authentication with Systems Manager Sentry Wifi with devices which were online during the week of 15 October 2017 will have no user-visible impact.
Users with devices which were not online during that period or were unable to associate due to the iOS 11 incompatibility simply need to associate to an SSID which will allow them to check in with dashboard for long enough to allow a check-in cycle to complete (~2 minutes) in order to receive the updated payload and resume normal operation
Meraki Authentication without Sentry Wifi
Users of Meraki Authentication without Sentry Wifi will need to 'trust' the new certificate with the below information upon associating to the Meraki Authentication SSID on or after 23 October 2017. Some devices may require the SSID to be "forgotten" before they will prompt to accept the new certificate.
Host: radius.meraki.com
Issued: COMODO RSA Domain Validation Secure Server CA
Expires: Thursday, August 13, 2020
Certificate Details
Below is a copy of the certificate which users will be required to accept, as well as the plaintext output from reading the certificate with openssl:
meraki$ openssl x509 -noout -text -in ./new.meraki-auth-radius.cert Certificate: Data: Version: 3 (0x2) Serial Number: 1b:70:86:cd:3d:48:2b:58:dd:f2:04:d6:20:24:8f:14 Signature Algorithm: sha256WithRSAEncryption Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA Validity Not Before: Aug 14 00:00:00 2017 GMT Not After : Aug 13 23:59:59 2020 GMT Subject: OU=Domain Control Validated, OU=EssentialSSL, CN=radius.meraki.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:a6:5a:5c:28:2b:97:40:90:75:11:13:42:48:4c: d6:c0:bf:8c:f0:d2:59:d1:4d:56:03:16:19:40:76: 1c:2b:42:c4:b8:82:68:dc:36:ca:7b:1f:6e:55:65: f9:05:c8:1c:18:80:cd:4a:f2:5f:30:69:bc:16:b9: 0d:65:85:c3:12:21:2c:c3:84:2d:6d:99:78:13:7a: af:69:a1:7e:7a:eb:af:01:7b:be:30:ec:a2:3a:6c: 98:ec:29:74:6c:64:4e:bd:bd:85:29:65:fe:cd:50: 4b:b9:1e:6d:6a:a6:e1:48:a5:2d:9b:06:39:11:8f: 72:be:05:8b:11:3d:01:ba:9d:03:ed:f7:04:5f:bc: 26:da:0e:80:d9:83:5e:8d:51:c4:91:d2:ae:57:ff: fe:9b:16:35:51:a3:7c:97:08:61:c8:02:7d:d5:9d: 4b:c5:5e:06:1e:a0:91:63:da:6b:de:be:a5:30:29: 1b:38:7a:10:4b:d4:d4:0b:ad:4b:9d:70:ff:33:31: b0:fb:0b:ab:f2:b2:5c:d4:fd:15:7e:f1:be:7a:36: 4e:e9:06:fb:e2:ee:f7:25:93:ad:64:af:31:09:70: 8c:c9:cf:05:7e:47:46:fa:96:0e:c1:e5:f7:48:ef: a7:40:0c:3c:6f:76:fe:e2:7c:32:96:c2:76:0a:5a: a1:29 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier: keyid:90:AF:6A:3A:94:5A:0B:D8:90:EA:12:56:73:DF:43:B4:3A:28:DA:E7 X509v3 Subject Key Identifier: 7C:8B:70:0E:26:BF:FB:37:68:FF:02:58:56:9C:08:6C:03:D7:0A:28 X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Basic Constraints: critical CA:FALSE X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Certificate Policies: Policy: 1.3.6.1.4.1.6449.1.2.2.7 CPS: https://secure.comodo.com/CPS Policy: 2.23.140.1.2.1 X509v3 CRL Distribution Points: Full Name: URI:http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl Authority Information Access: CA Issuers - URI:http://crt.comodoca.com/COMODORSADomainValidationSecureServerCA.crt OCSP - URI:http://ocsp.comodoca.com X509v3 Subject Alternative Name: DNS:radius.meraki.com, DNS:www.radius.meraki.com Signature Algorithm: sha256WithRSAEncryption 17:70:ce:ae:c6:d1:a5:79:bd:af:8b:51:ff:8c:8c:4d:4d:6a: 21:96:87:8a:e3:42:28:7c:28:63:7d:d8:64:6b:92:64:75:ef: b7:13:1b:5b:4f:3d:63:81:1d:05:47:aa:67:b9:03:c6:29:f3: 8d:a0:c3:0f:a2:f4:7c:04:aa:78:70:24:dc:2b:5f:ee:7e:94: 55:ec:6b:e0:08:4d:20:94:79:a8:90:c0:90:34:f5:f0:e9:34: 29:93:f5:2b:1e:fa:ec:dd:e8:8f:4d:ca:72:7a:97:ea:4d:40: 9a:e4:a0:3c:33:41:dc:c4:1e:e3:aa:74:da:e9:e8:af:75:c2: 11:4e:8f:63:76:de:81:5b:74:ee:ca:18:e9:06:ad:aa:20:a5: 7a:16:e6:62:81:2d:12:23:43:43:ca:10:f7:f5:0e:6f:c8:1c: 6b:e0:79:d2:1e:f8:85:23:25:a9:10:77:94:f4:ae:37:df:88: 33:4e:da:9d:f0:2e:81:aa:27:11:07:bc:0f:8f:e2:22:a9:30: 49:5f:81:ad:d5:8c:c9:46:75:86:81:3a:a7:77:52:f5:c9:48: aa:48:25:5a:cb:00:4c:a7:f2:9e:35:ca:23:00:cc:5f:c4:45: 3d:a2:8c:19:61:ef:bc:21:81:96:2a:ed:98:9b:af:6a:69:e8: 89:12:42:e8
#Meraki Authentication Radius Certificate #Updated 23 August 2017 -----BEGIN CERTIFICATE----- MIIFWDCCBECgAwIBAgIQG3CGzT1IK1jd8gTWICSPFDANBgkqhkiG9w0BAQsFADCB kDELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxNjA0BgNV BAMTLUNPTU9ETyBSU0EgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBD QTAeFw0xNzA4MTQwMDAwMDBaFw0yMDA4MTMyMzU5NTlaMFYxITAfBgNVBAsTGERv bWFpbiBDb250cm9sIFZhbGlkYXRlZDEVMBMGA1UECxMMRXNzZW50aWFsU1NMMRow GAYDVQQDExFyYWRpdXMubWVyYWtpLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP ADCCAQoCggEBAKZaXCgrl0CQdRETQkhM1sC/jPDSWdFNVgMWGUB2HCtCxLiCaNw2 ynsfblVl+QXIHBiAzUryXzBpvBa5DWWFwxIhLMOELW2ZeBN6r2mhfnrrrwF7vjDs ojpsmOwpdGxkTr29hSll/s1QS7kebWqm4UilLZsGORGPcr4FixE9AbqdA+33BF+8 JtoOgNmDXo1RxJHSrlf//psWNVGjfJcIYcgCfdWdS8VeBh6gkWPaa96+pTApGzh6 EEvU1AutS51w/zMxsPsLq/KyXNT9FX7xvno2TukG++Lu9yWTrWSvMQlwjMnPBX5H RvqWDsHl90jvp0AMPG92/uJ8MpbCdgpaoSkCAwEAAaOCAeUwggHhMB8GA1UdIwQY MBaAFJCvajqUWgvYkOoSVnPfQ7Q6KNrnMB0GA1UdDgQWBBR8i3AOJr/7N2j/AlhW nAhsA9cKKDAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAU BggrBgEFBQcDAQYIKwYBBQUHAwIwTwYDVR0gBEgwRjA6BgsrBgEEAbIxAQICBzAr MCkGCCsGAQUFBwIBFh1odHRwczovL3NlY3VyZS5jb21vZG8uY29tL0NQUzAIBgZn gQwBAgEwVAYDVR0fBE0wSzBJoEegRYZDaHR0cDovL2NybC5jb21vZG9jYS5jb20v Q09NT0RPUlNBRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNybDCBhQYI KwYBBQUHAQEEeTB3ME8GCCsGAQUFBzAChkNodHRwOi8vY3J0LmNvbW9kb2NhLmNv bS9DT01PRE9SU0FEb21haW5WYWxpZGF0aW9uU2VjdXJlU2VydmVyQ0EuY3J0MCQG CCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5jb20wMwYDVR0RBCwwKoIR cmFkaXVzLm1lcmFraS5jb22CFXd3dy5yYWRpdXMubWVyYWtpLmNvbTANBgkqhkiG 9w0BAQsFAAOCAQEAF3DOrsbRpXm9r4tR/4yMTU1qIZaHiuNCKHwoY33YZGuSZHXv txMbW089Y4EdBUeqZ7kDxinzjaDDD6L0fASqeHAk3Ctf7n6UVexr4AhNIJR5qJDA kDT18Ok0KZP1Kx767N3oj03KcnqX6k1AmuSgPDNB3MQe46p02unor3XCEU6PY3be gVt07soY6QatqiClehbmYoEtEiNDQ8oQ9/UOb8gca+B50h74hSMlqRB3lPSuN9+I M07anfAugaonEQe8D4/iIqkwSV+BrdWMyUZ1hoE6p3dS9clIqkglWssATKfynjXK IwDMX8RFPaKMGWHvvCGBlirtmJuvamnoiRJC6A== -----END CERTIFICATE-----