Skip to main content
Cisco Meraki Documentation

Meraki Authentication Server Certificate Rotation (23 Oct 2017)

Overview

Due to an approaching certificate expiration and an incompatibility with Apple's iOS 11 which prevented client associations, Meraki rotated the RADIUS server certificate for Meraki Authentication on 23 October 2017.  The following is the expected impact and remediation steps for potential issues.

Meraki Authentication with Sentry Wifi

Users of Meraki Authentication with Systems Manager Sentry Wifi with devices which were online during the week of 15 October 2017 will have no user-visible impact.  

 

Users with devices which were not online during that period or were unable to associate due to the iOS 11 incompatibility simply need to associate to an SSID which will allow them to check in with dashboard for long enough to allow a check-in cycle to complete (~2 minutes) in order to receive the updated payload and resume normal operation

Meraki Authentication without Sentry Wifi

Users of Meraki Authentication without Sentry Wifi will need to 'trust' the new certificate with the below information upon associating to the Meraki Authentication SSID on or after 23 October 2017.  Some devices may require the SSID to be "forgotten" before they will prompt to accept the new certificate.  

 

Host: radius.meraki.com
Issued: COMODO RSA Domain Validation Secure Server CA
Expires: Thursday, August 13, 2020

Certificate Details

Below is a copy of the certificate which users will be required to accept, as well as the plaintext output from reading the certificate with openssl:

meraki$ openssl x509 -noout -text -in ./new.meraki-auth-radius.cert
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            1b:70:86:cd:3d:48:2b:58:dd:f2:04:d6:20:24:8f:14
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA
        Validity
            Not Before: Aug 14 00:00:00 2017 GMT
            Not After : Aug 13 23:59:59 2020 GMT
        Subject: OU=Domain Control Validated, OU=EssentialSSL, CN=radius.meraki.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:a6:5a:5c:28:2b:97:40:90:75:11:13:42:48:4c:
                    d6:c0:bf:8c:f0:d2:59:d1:4d:56:03:16:19:40:76:
                    1c:2b:42:c4:b8:82:68:dc:36:ca:7b:1f:6e:55:65:
                    f9:05:c8:1c:18:80:cd:4a:f2:5f:30:69:bc:16:b9:
                    0d:65:85:c3:12:21:2c:c3:84:2d:6d:99:78:13:7a:
                    af:69:a1:7e:7a:eb:af:01:7b:be:30:ec:a2:3a:6c:
                    98:ec:29:74:6c:64:4e:bd:bd:85:29:65:fe:cd:50:
                    4b:b9:1e:6d:6a:a6:e1:48:a5:2d:9b:06:39:11:8f:
                    72:be:05:8b:11:3d:01:ba:9d:03:ed:f7:04:5f:bc:
                    26:da:0e:80:d9:83:5e:8d:51:c4:91:d2:ae:57:ff:
                    fe:9b:16:35:51:a3:7c:97:08:61:c8:02:7d:d5:9d:
                    4b:c5:5e:06:1e:a0:91:63:da:6b:de:be:a5:30:29:
                    1b:38:7a:10:4b:d4:d4:0b:ad:4b:9d:70:ff:33:31:
                    b0:fb:0b:ab:f2:b2:5c:d4:fd:15:7e:f1:be:7a:36:
                    4e:e9:06:fb:e2:ee:f7:25:93:ad:64:af:31:09:70:
                    8c:c9:cf:05:7e:47:46:fa:96:0e:c1:e5:f7:48:ef:
                    a7:40:0c:3c:6f:76:fe:e2:7c:32:96:c2:76:0a:5a:
                    a1:29
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier:
                keyid:90:AF:6A:3A:94:5A:0B:D8:90:EA:12:56:73:DF:43:B4:3A:28:DA:E7

            X509v3 Subject Key Identifier:
                7C:8B:70:0E:26:BF:FB:37:68:FF:02:58:56:9C:08:6C:03:D7:0A:28
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Certificate Policies:
                Policy: 1.3.6.1.4.1.6449.1.2.2.7
                  CPS: https://secure.comodo.com/CPS
                Policy: 2.23.140.1.2.1

            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl

            Authority Information Access:
                CA Issuers - URI:http://crt.comodoca.com/COMODORSADomainValidationSecureServerCA.crt
                OCSP - URI:http://ocsp.comodoca.com

            X509v3 Subject Alternative Name:
                DNS:radius.meraki.com, DNS:www.radius.meraki.com
    Signature Algorithm: sha256WithRSAEncryption
         17:70:ce:ae:c6:d1:a5:79:bd:af:8b:51:ff:8c:8c:4d:4d:6a:
         21:96:87:8a:e3:42:28:7c:28:63:7d:d8:64:6b:92:64:75:ef:
         b7:13:1b:5b:4f:3d:63:81:1d:05:47:aa:67:b9:03:c6:29:f3:
         8d:a0:c3:0f:a2:f4:7c:04:aa:78:70:24:dc:2b:5f:ee:7e:94:
         55:ec:6b:e0:08:4d:20:94:79:a8:90:c0:90:34:f5:f0:e9:34:
         29:93:f5:2b:1e:fa:ec:dd:e8:8f:4d:ca:72:7a:97:ea:4d:40:
         9a:e4:a0:3c:33:41:dc:c4:1e:e3:aa:74:da:e9:e8:af:75:c2:
         11:4e:8f:63:76:de:81:5b:74:ee:ca:18:e9:06:ad:aa:20:a5:
         7a:16:e6:62:81:2d:12:23:43:43:ca:10:f7:f5:0e:6f:c8:1c:
         6b:e0:79:d2:1e:f8:85:23:25:a9:10:77:94:f4:ae:37:df:88:
         33:4e:da:9d:f0:2e:81:aa:27:11:07:bc:0f:8f:e2:22:a9:30:
         49:5f:81:ad:d5:8c:c9:46:75:86:81:3a:a7:77:52:f5:c9:48:
         aa:48:25:5a:cb:00:4c:a7:f2:9e:35:ca:23:00:cc:5f:c4:45:
         3d:a2:8c:19:61:ef:bc:21:81:96:2a:ed:98:9b:af:6a:69:e8:
         89:12:42:e8
#Meraki Authentication Radius Certificate 
#Updated 23 August 2017
-----BEGIN CERTIFICATE-----
MIIFWDCCBECgAwIBAgIQG3CGzT1IK1jd8gTWICSPFDANBgkqhkiG9w0BAQsFADCB
kDELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxNjA0BgNV
BAMTLUNPTU9ETyBSU0EgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBD
QTAeFw0xNzA4MTQwMDAwMDBaFw0yMDA4MTMyMzU5NTlaMFYxITAfBgNVBAsTGERv
bWFpbiBDb250cm9sIFZhbGlkYXRlZDEVMBMGA1UECxMMRXNzZW50aWFsU1NMMRow
GAYDVQQDExFyYWRpdXMubWVyYWtpLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAKZaXCgrl0CQdRETQkhM1sC/jPDSWdFNVgMWGUB2HCtCxLiCaNw2
ynsfblVl+QXIHBiAzUryXzBpvBa5DWWFwxIhLMOELW2ZeBN6r2mhfnrrrwF7vjDs
ojpsmOwpdGxkTr29hSll/s1QS7kebWqm4UilLZsGORGPcr4FixE9AbqdA+33BF+8
JtoOgNmDXo1RxJHSrlf//psWNVGjfJcIYcgCfdWdS8VeBh6gkWPaa96+pTApGzh6
EEvU1AutS51w/zMxsPsLq/KyXNT9FX7xvno2TukG++Lu9yWTrWSvMQlwjMnPBX5H
RvqWDsHl90jvp0AMPG92/uJ8MpbCdgpaoSkCAwEAAaOCAeUwggHhMB8GA1UdIwQY
MBaAFJCvajqUWgvYkOoSVnPfQ7Q6KNrnMB0GA1UdDgQWBBR8i3AOJr/7N2j/AlhW
nAhsA9cKKDAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAU
BggrBgEFBQcDAQYIKwYBBQUHAwIwTwYDVR0gBEgwRjA6BgsrBgEEAbIxAQICBzAr
MCkGCCsGAQUFBwIBFh1odHRwczovL3NlY3VyZS5jb21vZG8uY29tL0NQUzAIBgZn
gQwBAgEwVAYDVR0fBE0wSzBJoEegRYZDaHR0cDovL2NybC5jb21vZG9jYS5jb20v
Q09NT0RPUlNBRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNybDCBhQYI
KwYBBQUHAQEEeTB3ME8GCCsGAQUFBzAChkNodHRwOi8vY3J0LmNvbW9kb2NhLmNv
bS9DT01PRE9SU0FEb21haW5WYWxpZGF0aW9uU2VjdXJlU2VydmVyQ0EuY3J0MCQG
CCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5jb20wMwYDVR0RBCwwKoIR
cmFkaXVzLm1lcmFraS5jb22CFXd3dy5yYWRpdXMubWVyYWtpLmNvbTANBgkqhkiG
9w0BAQsFAAOCAQEAF3DOrsbRpXm9r4tR/4yMTU1qIZaHiuNCKHwoY33YZGuSZHXv
txMbW089Y4EdBUeqZ7kDxinzjaDDD6L0fASqeHAk3Ctf7n6UVexr4AhNIJR5qJDA
kDT18Ok0KZP1Kx767N3oj03KcnqX6k1AmuSgPDNB3MQe46p02unor3XCEU6PY3be
gVt07soY6QatqiClehbmYoEtEiNDQ8oQ9/UOb8gca+B50h74hSMlqRB3lPSuN9+I
M07anfAugaonEQe8D4/iIqkwSV+BrdWMyUZ1hoE6p3dS9clIqkglWssATKfynjXK
IwDMX8RFPaKMGWHvvCGBlirtmJuvamnoiRJC6A==
-----END CERTIFICATE-----

  • Was this article helpful?