Skip to main content

 

Cisco Meraki Documentation

EAP-TLS Client Configuration

This article provides instructions on configuring Windows 10, Apple macOS, and Apple iOS client devices for certificate-based authentication (EAP-TLS) and obtaining authorization (such as SGT, VLAN, Group Policy, etc.) based on Access Manager rules.

The instructions in this article are intended as a reference to assist organizations in understanding the network settings, which can be useful when configuring network settings through a mobile device manager (MDM) or Meraki Group Policy (GP) update.

Refer to Securing Managed Endpoints - EAP-TLS with Entra ID Lookup to view instructions on how to configure Entra ID integration, wired/wireless networks and Access Manager rules. 

Download RADIUS CA Certificate From Access Manager

In EAP-TLS flow, both the Access Manager and the local RADIUS server on the MR (during fallback when Extended Local Auth is enabled) present their certificates, enabling the client to validate them before connecting. It is recommended to install the RADIUS CA certificate that signed both the Access Manager and the local RADIUS server certificates on your endpoints to ensure these certificates are trusted automatically, without requiring user intervention.

Download Access Manager's RADIUS CA certificate for installation on the endpoints' Trusted Certificate Authority (CA) certificate store: 

  1. Navigate to Access Manager > Configure > Certificates
  2. Click on Download RADIUS CA certificates
  3. This downloads a ZIP file, RADIUS-CA-certificates.zip, to your computer 
  4. Unzip RADIUS-CA-certificates.zip to see two files:
    Access-Manager-Root-CA.cer : the root C
    Readme.txt

Microsoft Windows 10/11

Root Certificate Installation

1. Open the downloaded RADIUS certificate from previous step and click open again

cert install.png

2. Click on Install Certificate  Screenshot 2025-03-22 at 9.37.51 AM.png
3. Click Next > Next > Finish to continue installing certificate successfully   

 

 

Assign Trusted CA Certificate to an SSID

Manually define which SSID(s) you want to trust with the installed CA certificate.

1. In windows, navigate to the Network and Sharing Center > click on Set up a new connection or network  2.png
2. Choose Manually connect to a wireless network and click Next 3.png
3. Enter the Network name that exactly matches the SSID configured for this use case, and choose WPA2-Enterprise as the security type. Click Next. 4.png
4. Your network is successfully created. Click on Change connection settings 5.png
5. Click on Security > choose Microsoft: Smart Card or other certificate as the authentication method > click on Settings 6.png
6. Choose the following selections then select OK:
  • ⦿ Use a certificate on this computer is selected 
  • ☑ Use simple certificate selection
    In case of multiple certificates causing issues, it is recommended to uncheck this and specifically select the endpoint certificate for authentication on this SSID
  • ☑ Verify the server's identity by validating the certificate
  • ☑ Connect to these servers: eap.meraki.com, *.YOUR_ORG_ID.radius.meraki.direct
    • This ensures client only connects to Meraki's server and no other rogue device advertising an SSID. Your org ID can be found on the bottom of any dashboard page after you login. 
  • Select your Trusted Root Certificate Authorities:
    ☑ your Trusted Root CA
    ☑ Identity Trust Commercial Root CA 1
win-8.png

7. Click Ok again on the main properties window
8. The windows client is now successfully configured to connect to the wireless network using a certificate (EAP-TLS). 

Apple macOS

Root Certificate Installation

1. In macOS, open Keychain Access > Click on File > Import items > select the downloaded RADIUS CA certificate and click open  MAC-a.png
2. Find the installed certificate (IdenTrust Commercial Root CA 1) from the list and open it > select Always Trust and close the window  MAC-b.png


Provision the Certificate with Apple Configurator

For Apple macOS, you will need to download, install, and open the Apple Configurator application from the App Store.

1. Click on File > New Profile   
2. Enter the Name and Identifier for the profile 1.png
3. Click on Certificates > Configure > Select downloaded RADIUS CA certificate and click Open 2.1.png
2.2.png
4. Click on + icon > Select Endpoint/User Certificate to be used for this authentication  Screenshot 2025-03-22 at 12.29.08 PM.png
5. Click on Wi-Fi and set the following values: 
  • Service Set Identifier (SSID): SSID that exactly matches the SSID configured for this use case
  • Security Type: WPA2/WPA3 Enterprise
  • Accepted EAP Types: TLS
  • Identity Certificate: Choose the endpoint/user certificate added in the previous step
3.png

6. Select Trust under Enterprise Settings and set these values: 

  • Trusted Certificates:
     ☑ Identity Trust Commercial Root CA 1
  • Trusted Server Certificate Names:
    eap.meraki.com
    *.YOUR_ORG_ID.radius.meraki.net
     
    This ensures the client only connects to Meraki's server for your org and no other rogue device advertising an SSID. Your org ID can be found on the bottom of any dashboard page after you login. 
4.1.png
7. Click File > Save  
8. Open the saved profile - this action will download the profile  
9. Navigate to Settings > Device Management > Double click on the profile > Install  MAC-TLS-a.pngMAC-TLS-b.png
10. Click  Install  MAC-TLS-c.png

The macOS client is now successfully configured to connect to the wireless network using a certificate (EAP-TLS). 

 

Apple iOS 

  1. On iOS, follow the same steps from macOS section: 
  2. Copy the downloaded RADIUS CA certificate to iPhone and click open 
  3. Navigate to Settings > Profile downloaded
  4. Click Install > Install again > Done

    IPHONE-1.PNG        IPHONE-2.PNG.      IPHONE - 3.PNG

     
  5. Copy the Profile created on Apple Configurator in the macOS section to iPhone and click open 
  6. Navigate to Settings > Profile downloaded 
  7. Click Install > Install  > Done

    TLS-ip-1.jpg       IPHONE-6.PNG     tls-ip3.jpg
  8. The iOS client is now successfully configured to connect to the wireless network using a certificate (EAP-TLS).