Skip to main content

 

Cisco Meraki Documentation

How to: Authenticate Certificate-based Wi-Fi on SM and Meraki APs

  1. Last updated
  2. Save as PDF

Click 日本語 for Japanese

Introduction  

This article explains the steps to configure certificate-based (EAP-TLS) Wi-Fi authentication for iOS, Android, macOS, and Windows devices. The configuration involves Cisco Meraki Systems Manager and Cisco Meraki access points. 

Devices enrolled in Systems Manager are given a unique SCEP certificate. This certificate is used by access points to authenticate the device. 

Authentication occurs automatically in the background without requiring users to manually enter credentials or distribute certificates. 

This method allows users to authenticate the same SSID with a username and password. However, user credentials need to be managed from the Users page. 

This image shows the certificate-based authentication workflow. 

Authenticating using the username and password

Prerequisites  

  • Devices must be enrolled in Systems Manager network in the same organization as the wireless network they are connected to 

  • Android 4.3 or higher  

  • Systems Manager app required 

Step-by-step instructions  

Step 1 Tag relevant devices 

Providing access to the wireless network from mobile devices using this method is done via manual tags. 

For more information about tags, refer to Using and Applying Tags in Systems Manager. In this case, apply the desired tag to relevant devices 

Step 2 Configure the Wireless Network 

Configure a wireless SSID that will use certificate-based authentication with SCEP certificates. This can be a new or existing SSID, as long as the association requirements are configured correctly. 

a. Navigate to Wireless > Configure > Access control

b. Select the desired SSID

c. Under Security, select Enterprise with Meraki Cloud authentication


Selecting Meraki Cloud Authentication
 

d. Under SM Sentry Wi-Fi, click Add Sentry Network and select the desired Network, Scope, and Tag(s). 

Devices with any of the configured tags are allowed to access the SSID. If the organization contains multiple Systems Manager networks, the network name appears before the tag. 

Adding Sentry network

f. Configure any additional SSID settings as required. 

g. Click Save Changes

Allow time for the profile and certificate to be automatically pushed to tagged devices. Devices must be online and able to check in with Systems Manager to receive updates.

Disallow Access 

To remove a device’s access to the wireless network: 

Verification  

Confirm profile on devices  

On each device with the relevant tag, a profile named Meraki Wifi is automatically applied. This can be verified from the client details page in Systems Manager.  

Confirming profiles on devices

This can also be confirmed on the device. 

For iOS devices: 

  1. Navigate to General Device Management > Meraki Management > More Details.  

  1. Verify that:  

  1. the configured SSID (in this case, Meraki-Cert) appears under Wi-Fi Networks  

  1. a certificate named Wi-Fi SCEP Certificate appears under Device Identity Certificates  

Wi-Fi networks

Device identity certificates

For Android devices: 

  1. Open the Systems Manager app.  

  1. Verify that the Meraki Wifi profile is present. 

Systems Manager status

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Reference
    Stage
    Final
  2. Tags
    1. sentry wifi
    2. sm
    3. systems manager