EAP-TLS Client Configuration
This article provides instructions on configuring Windows 10, Apple macOS, and Apple iOS client devices for certificate-based authentication (EAP-TLS) and obtaining authorization (such as SGT, VLAN, Group Policy, etc.) based on Access Manager rules.
The instructions in this article are intended as a reference to assist organizations in understanding the network settings, which can be useful when configuring network settings through a mobile device manager (MDM) or Meraki Group Policy (GP) update.
Refer to Securing Managed Endpoints - EAP-TLS with Entra ID Lookup to view instructions on how to configure Entra ID integration, wired/wireless networks and Access Manager rules.
Download RADIUS CA Certificate From Access Manager
In EAP-TLS flow, both the Access Manager and the local RADIUS server on the MR (during fallback when Extended Local Auth is enabled) present their certificates, enabling the client to validate them before connecting. It is recommended to install the RADIUS CA certificate that signed both the Access Manager and the local RADIUS server certificates on your endpoints to ensure these certificates are trusted automatically, without requiring user intervention.
Download Access Manager's RADIUS CA certificate for installation on the endpoints' Trusted Certificate Authority (CA) certificate store:
- Navigate to Access Manager > Configure > Certificates
- Click on Download RADIUS CA certificates
- This downloads a ZIP file, RADIUS-CA-certificates.zip, to your computer
- Unzip RADIUS-CA-certificates.zip to see two files:
Access-Manager-Root-CA.cer : the root C
Readme.txt
Microsoft Windows 10/11
Root Certificate Installation
1. Open the downloaded RADIUS certificate from previous step and click open again |
|
2. Click on Install Certificate | ![]() |
3. Click Next > Next > Finish to continue installing certificate successfully |
Assign Trusted CA Certificate to an SSID
Manually define which SSID(s) you want to trust with the installed CA certificate.
1. In windows, navigate to the Network and Sharing Center > click on Set up a new connection or network | ![]() |
2. Choose Manually connect to a wireless network and click Next | ![]() |
3. Enter the Network name that exactly matches the SSID configured for this use case, and choose WPA2-Enterprise as the security type. Click Next. | ![]() |
4. Your network is successfully created. Click on Change connection settings | ![]() |
5. Click on Security > choose Microsoft: Smart Card or other certificate as the authentication method > click on Settings | ![]() |
6. Choose the following selections then select OK:
|
![]() |
7. Click Ok again on the main properties window
8. The windows client is now successfully configured to connect to the wireless network using a certificate (EAP-TLS).
Apple macOS
Root Certificate Installation
1. In macOS, open Keychain Access > Click on File > Import items > select the downloaded RADIUS CA certificate and click open | ![]() |
2. Find the installed certificate (IdenTrust Commercial Root CA 1) from the list and open it > select Always Trust and close the window | ![]() |
Provision the Certificate with Apple Configurator
For Apple macOS, you will need to download, install, and open the Apple Configurator application from the App Store.
1. Click on File > New Profile | |
2. Enter the Name and Identifier for the profile | ![]() |
3. Click on Certificates > Configure > Select downloaded RADIUS CA certificate and click Open | ![]() ![]() |
4. Click on + icon > Select Endpoint/User Certificate to be used for this authentication | ![]() |
5. Click on Wi-Fi and set the following values:
|
![]() |
6. Select Trust under Enterprise Settings and set these values:
|
![]() |
7. Click File > Save | |
8. Open the saved profile - this action will download the profile | |
9. Navigate to Settings > Device Management > Double click on the profile > Install | ![]() ![]() |
10. Click Install | ![]() |
The macOS client is now successfully configured to connect to the wireless network using a certificate (EAP-TLS).
Apple iOS
- On iOS, follow the same steps from macOS section:
- Copy the downloaded RADIUS CA certificate to iPhone and click open
- Navigate to Settings > Profile downloaded
- Click Install > Install again > Done
.
- Copy the Profile created on Apple Configurator in the macOS section to iPhone and click open
- Navigate to Settings > Profile downloaded
- Click Install > Install > Done
- The iOS client is now successfully configured to connect to the wireless network using a certificate (EAP-TLS).