Skip to main content

 

Cisco Meraki Documentation

EAP-TTLS Client Configuration

  1. Last updated
  2. Save as PDF

This article provides instructions on configuring Microsoft Windows 10/11, Apple macOS, and Apple iOS client devices to authenticate against Microsoft Entra ID using username and password (EAP-TTLS+PAP) and obtain authorization (such as SGT, VLAN, Group Policy, etc.) based on Access Manager rules.

The instructions in this article are intended as a reference to assist organizations in understanding the network settings, which can be useful when configuring network settings through an MDM or Group Policy (GP) update.

Please refer to Securing Managed Endpoints - Username/Password Authentication against Entra ID to view instructions on how to configure Entra ID integration, wired/wireless networks and Access Manager rules. 

 

Download RADIUS CA Certificate From Access Manager

In EAP-TTLS/PAP flows,  Access Manager presents its certificate during authentication, enabling the client to validate it before connecting. It is recommended to install the root CA certificate that signed the Access Manager certificate on your endpoints to ensure the Access Manager certificate is trusted automatically, without requiring user intervention.

Download Access Manager's RADIUS CA certificate for installation on the endpoints' Trusted Certificate Authority (CA) certificate store: 

  1. Navigate to Access Manager > Configure > Certificates
  2. Select Download RADIUS CA certificates
  3. This downloads a ZIP file, RADIUS-CA-certificates.zip, to your computer 
  4. Unzip RADIUS-CA-certificates.zip to see two files:
    Access-Manager-Root-CA.cer
    Readme.txt

 

Microsoft Windows 10/11

Root Certificate Installation

Open the downloaded RADIUS certificate from previous step and select open again cert install.png
Select on Install Certificate Screenshot 2025-03-22 at 9.37.51 AM.png
Select Next > Next > Finish to continue installing certificate successfully  

 

Assign Trusted CA Certificate to an SSID

In windows, navigate to the Network and Sharing Center 
Select Set up a new connection or network 		 2.png
Choose Manually connect to a wireless network.
Select Next.		 3.png
Enter the Network name that exactly matches the SSID configured for this use case.
Choose WPA2-Enterprise as the security type.
Select Next.		 11.png
Your network is successfully created.
Select Change connection settings		 12.png
Select Security
Choose Microsoft: EAP-TTLS as the authentication method
Select Settings		 13.png

Make sure following selections are made:

  • Enable identity privacy is checked (to ensure the true username is not shared in the initial EAP exchange) 
  • Connect to these servers: Enter eap.meraki.com to ensure the client only connects to Meraki's server and no other rogue device advertising an SSID. 
  • Trusted Root Certificate Authorities: Select your PKI's trusted root CA and Identity Trust Commercial Root CA 1 (Access Manager root installed in the previous step) 
  • Select a non-EAP method for authentication: Choose Unencrypted password (PAP). Please note that while the password is unencrypted, it is transmitted over an encrypted TLS tunnel.
  • Select OK
 14-final.png
Select OK again on the main properties window 15.png

 

The windows client is now successfully configured to connect to the wireless network using a username and password (EAP-TTLS+PAP).

 

Apple macOS 

Root Certificate Installation

Edit section
In Apple macOS, open Keychain Access > Click on File > Import items > select the downloaded RADIUS CA certificate and click open  MAC-a.png
Find the installed certificate (IdenTrust Commercial Root CA 1) from the list and open it > select Always Trust and close the window MAC-b.png

 

Provision the Certificate with Apple Configurator

Edit section

For Apple macOS, you will need to download, install, and open the Apple Configurator application from the App Store.

In macOS, open Apple Configurator application (you will need to download it from the App Store if you do not already have it)   
Select File > New Profile   
Enter the Name and Identifier for the profile  1.png
Click on Certificates > Configure
Select downloaded RADIUS CA certificate and click open		 2.1.png
2.2.png

Click on Wi-Fi and use the following values: 

  • Service Set Identifier (SSID): SSID that exactly matches the SSID configured for this use case
  • Security Type: WPA2/WPA3 Enterprise
  • Accepted EAP Types: TTLS
  • Inner Authentication: PAP
 MAC-3.png

Select Trust under Enterprise Settings and Set the following values 

  • Trusted Certificates: Choose the certificate that was added in Certificates tab - Identity Trust Commercial Root CA 1
  • Trusted Server Certificate Names: Add eap.meraki.com 
    to ensure the client only connects to Meraki's server and no other rogue device advertising an SSID. 
 4 final.png
Click File > Save  
Open the saved profile - this action will download the profile  
Navigate to Settings > Device Management > Double click on the profile > Install  6.png
5.png
Select Continue > Install  7.png 8.png

 

The macOS client is now successfully configured to connect to the wireless network using a username and password (EAP-TTLS+PAP). 

 

Apple iOS 

On Apple iOS, follow the same steps from macOS section: 

  1. Copy the downloaded RADIUS CA certificate to iPhone and click open 
  2. Navigate to Settings > Profile downloaded
  3. Click Install > Install again > Done
    IPHONE-1.PNG  IPHONE-2.PNG  IPHONE - 3.PNG
  4. Copy the Profile created on Apple Configurator in the macOS section to iPhone and click open 
  5. Navigate to Settings > Profile downloaded 
  6. Click Install > Install > Install > Done
    IPHONE-5.PNG  IPHONE-6.PNG  IPHONE-7.PNG
  7. The iOS client is now successfully configured to connect to the wireless network using a username and password (EAP-TTLS/PAP).