Access Manager - EAP-TLS Client Configuration (Windows, macOS and iOS)
This article provides instructions on configuring Windows 10, macOS, and iOS client devices for certificate-based authentication (EAP-TLS) and obtaining authorization (such as SGT, VLAN, Group Policy, etc.) based on Access Manager rules.
The instructions in this article are intended as a reference to assist organizations in understanding the network settings, which can be useful when configuring network settings through an MDM or Group Policy (GP) update.
Please refer to Securing Managed Endpoints - EAP-TLS with Entra ID Lookup to view instructions on how to configure Entra ID integration, wired/wireless networks and Access Manager rules.
Download RADIUS CA Certificate From Access Manager
In EAP-TLS flow, both the Access Manager and the local RADIUS server on the MR (during fallback when Extended Local Auth is enabled) present their certificates, enabling the client to validate them before connecting. It is recommended to install the RADIUS CA certificate that signed both the Access Manager and the local RADIUS server certificates on your endpoints to ensure these certificates are trusted automatically, without requiring user intervention.
Follow the instructions below to download the RADIUS CA certificate from Access Manager and install it on the endpoint:
- Navigate to Access Manager > Configure > Certificates
- Click on Download RADIUS CA certificates
- This downloads multiple files - make sure your browser allows multiple file downloads.
Windows 10
-
Open the downloaded RADIUS certificate from previous step and click open again
-
Click on Install Certificate
-
Click Next > Next > Finish to continue installing certificate successfully
-
In windows, navigate to the Network and Sharing Center > click on Set up a new connection or network
- Choose Manually connect to a wireless network and click Next
- Enter the Network name that exactly matches the SSID configured for this use case, and choose WPA2-Enterprise as the security type. Click Next.
- Your network is successfully created. Click on Change connection settings
- Click on Security > choose Microsoft: Smart Card or other certificate as the authentication method > click on Settings
- Make sure following selections are made:
- Use a certificate on this computer is selected
- Use simple certificate selection is checked. In case of multiple certificates causing issues, it is recommended to uncheck this and specifically select the endpoint certificate for authentication on this SSID
- Verify the server's identity by validating the certificate is checked
- Connect to these servers: Enter eap.meraki.com and *.YOUR_ORG_ID.radius.meraki.direct (Eg. *.131313.radius.meraki.direct) to ensure the client only connects to Meraki's server and no other rogue device advertising an SSID. Your org ID can be found on the bottom of any dashboard page after you login.
- Trusted Root Certificate Authorities: Select your PKI's trusted root CA and Identity Trust Commercial Root CA 1 (Access Manager root installed in the previous step)
- Click Ok
- Click Ok again on the main properties window
- The windows client is now successfully configured to connect to the wireless network using a certificate (EAP-TLS).
macOS and iOS
macOS
- In macOS, open Keychain Access > Click on File > Import items > select the downloaded RADIUS CA certificate and click open
- Find the installed certificate (IdenTrust Commercial Root CA 1) from the list and open it > select Always Trust and close the window
- In macOS, open Apple Configurator application (you will need to download it from the App Store if you do not already have it)
- Click on File > New Profile
- Enter the Name and Identifier for the profile
- Click on Certificates > Configure > Select downloaded RADIUS CA certificate and click open
- Click on + icon > Select Endpoint/User Certificate to be used for this authentication
- Click on Wi-Fi and set the following values:
- Service Set Identifier (SSID): SSID that exactly matches the SSID configured for this use case
- Security Type: WPA2/WPA3 Enterprise
- Accepted EAP Types: TLS
- Identity Certificate: Choose the endpoint/user certificate added in the previous step
- Click on Trust under Enterprise Settings and Set the following values
- Trusted Certificates: Choose the certificate that was added in Certificates tab - Identity Trust Commercial Root CA 1
- Trusted Server Certificate Names: Add eap.meraki.com and *.YOUR_ORG_ID.radius.meraki.net to ensure the client only connects to Meraki's server and no other rogue device advertising an SSID. Your org ID can be found on the bottom of any dashboard page after you login.
- Click File > Save
- Open the saved profile - this action will download the profile
- Navigate to Settings > Device Management > Double click on the profile > Install
- Click Install
- The macOS client is now successfully configured to connect to the wireless network using a certificate (EAP-TLS).
iOS
On iOS, follow the same steps from macOS section:
- Copy the downloaded RADIUS CA certificate to iPhone and click open
- Navigate to Settings > Profile downloaded
- Click Install > Install again > Done
. 
- Copy the Profile created on Apple Configurator in the macOS section to iPhone and click open
- Navigate to Settings > Profile downloaded
- Click Install > Install > Done
- The iOS client is now successfully configured to connect to the wireless network using a certificate (EAP-TLS).