EAP-TLS Client Configuration

Last updated
Save as PDF

This article provides instructions on configuring Windows 10, Apple macOS, and Apple iOS client devices for certificate-based authentication (EAP-TLS) and obtaining authorization such as VLAN, Group Policy, Adaptive Policy, etc. based on Access Manager rules.

The instructions in this article are intended as a reference to assist organizations in understanding the network settings, which can be useful when configuring network settings through a unified endpoint manager (UEM) or Meraki Group Policy (GP) update.

Refer to EAP-TLS Certificate-based Authentication with Entra ID Lookup to view instructions on how to configure Entra ID integration, wired/wireless networks and Access Manager rules.

Download RADIUS CA Certificate From Access Manager

In EAP-TLS flow, both the Access Manager and the local RADIUS server on the MR (during fallback when Extended Local Auth is enabled) present their certificates, enabling the client to validate them before connecting. It is recommended to install the RADIUS CA certificate that signed both the Access Manager and the local RADIUS server certificates on your endpoints to ensure these certificates are trusted automatically, without requiring user intervention.

Download Access Manager's RADIUS CA certificate for installation on the endpoints' Trusted Certificate Authority (CA) certificate store:

Navigate to Access Manager > Configure > Certificates
Click on Download RADIUS CA certificates
This downloads a ZIP file, RADIUS-CA-certificates.zip, to your computer
Unzip RADIUS-CA-certificates.zip to see two files that will need to be deployed to your endpoints to trust Access Manager for establishing secure EAP tunnels:

Filename	Description
Access-Manager-Root-CA.cer	The Access Manager certificate (eap.meraki.com) chain
Readme.txt	Instructions for using the certificate

Microsoft Windows 10/11

Root Certificate Installation

1. Open the downloaded RADIUS certificate from previous step and click open again
2. Click on Install Certificate
3. Click Next > Next > Finish to continue installing certificate successfully

Assign Trusted CA Certificate to an SSID

Manually define which SSID(s) you want to trust with the installed CA certificate.

1. In windows, navigate to the Network and Sharing Center > click on Set up a new connection or network
2. Choose Manually connect to a wireless network and click Next
3. Enter the Network name that exactly matches the SSID configured for this use case, and choose WPA2-Enterprise as the security type. Click Next.
4. Your network is successfully created. Click on Change connection settings
5. Click on Security > choose Microsoft: Smart Card or other certificate as the authentication method > click on Settings
6. Choose the following selections then select OK: ⦿ Use a certificate on this computer is selected ☑ Use simple certificate selection In case of multiple certificates causing issues, it is recommended to uncheck this and specifically select the endpoint certificate for authentication on this SSID ☑ Verify the server's identity by validating the certificate ☑ Connect to these servers: *eap.meraki.com, .YOUR_ORG_ID.radius.meraki.direct This ensures client only connects to Meraki's server and no other rogue device advertising an SSID. Your org ID can be found on the bottom of any dashboard page after you login. Select your Trusted Root Certificate Authorities: ☑ your Trusted Root CA ☑ Identity Trust Commercial Root CA 1**

7. Click Ok again on the main properties window
8. The windows client is now successfully configured to connect to the wireless network using a certificate (EAP-TLS).

Apple macOS

Root Certificate Installation

1. In macOS, open Keychain Access > Click on File > Import items > select the downloaded RADIUS CA certificate and click open
2. Find the installed certificate (IdenTrust Commercial Root CA 1) from the list and open it > select Always Trust and close the window

Provision the Certificate with Apple Configurator

For Apple macOS, you will need to download, install, and open the Apple Configurator application from the App Store.

1. Click on File > New Profile
2. Enter the Name and Identifier for the profile
3. Click on Certificates > Configure > Select downloaded RADIUS CA certificate and click Open
4. Click on + icon > Select Endpoint/User Certificate to be used for this authentication
5. Click on Wi-Fi and set the following values: Service Set Identifier (SSID): SSID that exactly matches the SSID configured for this use case Security Type: WPA2/WPA3 Enterprise Accepted EAP Types: TLS Identity Certificate: Choose the endpoint/user certificate added in the previous step
6. Select Trust under Enterprise Settings and set these values: Trusted Certificates: ☑ Identity Trust Commercial Root CA 1 Trusted Server Certificate Names: eap.meraki.com *.YOUR_ORG_ID.radius.meraki.net This ensures the client only connects to Meraki's server for your org and no other rogue device advertising an SSID. Your org ID can be found on the bottom of any dashboard page after you login.
7. Click File > Save
8. Open the saved profile - this action will download the profile
9. Navigate to Settings > Device Management > Double click on the profile > Install
10. Click Install

The macOS client is now successfully configured to connect to the wireless network using a certificate (EAP-TLS).

Apple iOS

On iOS, follow the same steps from macOS section:
Copy the downloaded RADIUS CA certificate to iPhone and click open
Navigate to Settings > Profile downloaded
Click Install > Install again > Done

.
Copy the Profile created on Apple Configurator in the macOS section to iPhone and click open
Navigate to Settings > Profile downloaded
Click Install > Install > Done
The iOS client is now successfully configured to connect to the wireless network using a certificate (EAP-TLS).