EAP-TLS Client Configuration
This article provides instructions on configuring Windows 10, Apple macOS, and Apple iOS client devices for certificate-based authentication (EAP-TLS) and obtaining authorization such as VLAN, Group Policy, Adaptive Policy, etc. based on Access Manager rules.
The instructions in this article are intended as a reference to assist organizations in understanding the network settings, which can be useful when configuring network settings through a unified endpoint manager (UEM) or Meraki Group Policy (GP) update.
Refer to EAP-TLS Certificate-based Authentication with Entra ID Lookup to view instructions on how to configure Entra ID integration, wired/wireless networks and Access Manager rules. 
Download RADIUS CA Certificate From Access Manager
Download Access Manager's RADIUS CA certificate for installation on the endpoints' Trusted Certificate Authority (CA) certificate store:
- Navigate to Access Manager > Configure > Certificates
- Click on Download RADIUS CA certificates
- This downloads a ZIP file, RADIUS-CA-certificates.zip, to your computer
- Unzip RADIUS-CA-certificates.zip to see two files that will need to be deployed to your endpoints to trust Access Manager for establishing secure EAP tunnels:
| Filename | Description | 
|---|---|
| Access-Manager-Root-CA.cer | The Access Manager certificate (eap.meraki.com) chain | 
| Readme.txt | Instructions for using the certificate | 
Microsoft Windows 10/11
Root Certificate Installation
| 1. Open the downloaded RADIUS certificate from previous step and click open again | 
 | 
| 2. Click on Install Certificate |  | 
| 3. Click Next > Next > Finish to continue installing certificate successfully | 
Assign Trusted CA Certificate to an SSID
Manually define which SSID(s) you want to trust with the installed CA certificate.
| 1. In windows, navigate to the Network and Sharing Center > click on Set up a new connection or network |  | 
| 2. Choose Manually connect to a wireless network and click Next |  | 
| 3. Enter the Network name that exactly matches the SSID configured for this use case, and choose WPA2-Enterprise as the security type. Click Next. |  | 
| 4. Your network is successfully created. Click on Change connection settings |  | 
| 5. Click on Security > choose Microsoft: Smart Card or other certificate as the authentication method > click on Settings |  | 
| 6. Choose the following selections then select OK: 
 |  | 
7. Click Ok again on the main properties window
8. The windows client is now successfully configured to connect to the wireless network using a certificate (EAP-TLS). 
Apple macOS
Root Certificate Installation
| 1. In macOS, open Keychain Access > Click on File > Import items > select the downloaded RADIUS CA certificate and click open |  | 
| 2. Find the installed certificate (IdenTrust Commercial Root CA 1) from the list and open it > select Always Trust and close the window |  | 
Provision the Certificate with Apple Configurator
For Apple macOS, you will need to download, install, and open the Apple Configurator application from the App Store.
| 1. Click on File > New Profile | |
| 2. Enter the Name and Identifier for the profile |  | 
| 3. Click on Certificates > Configure > Select downloaded RADIUS CA certificate and click Open |   | 
| 4. Click on + icon > Select Endpoint/User Certificate to be used for this authentication |  | 
| 5. Click on Wi-Fi and set the following values: 
 |  | 
| 6. Select Trust under Enterprise Settings and set these values: 
 |  | 
| 7. Click File > Save | |
| 8. Open the saved profile - this action will download the profile | |
| 9. Navigate to Settings > Device Management > Double click on the profile > Install |   | 
| 10. Click Install |  | 
The macOS client is now successfully configured to connect to the wireless network using a certificate (EAP-TLS).
Apple iOS
- On iOS, follow the same steps from macOS section:
- Copy the downloaded RADIUS CA certificate to iPhone and click open
- Navigate to Settings > Profile downloaded
- Click Install > Install again > Done
 
 . 
 
 
- Copy the Profile created on Apple Configurator in the macOS section to iPhone and click open
- Navigate to Settings > Profile downloaded
- Click Install > Install  > Done
 
    
- The iOS client is now successfully configured to connect to the wireless network using a certificate (EAP-TLS).


