Certificate-based Wi-Fi authentication with Systems Manager and Meraki APs
Systems Manager can be used with Cisco Meraki wireless networks to easily deploy certificate-based (EAP-TLS) authentication to iOS, Android, OS X, and Windows 10 clients. This is ideal for customers that want to seamlessly and securely (using WPA2) authenticate users while avoiding the additional requirements of an external RADIUS server. This article will cover an example of how to implement this solution.
How it Works
Each device enrolled in Systems Manager is given a unique SCEP certificate. When configured as shown below, this certificate is used by the Cisco Meraki access points to authenticate the device. All completed automatically in the background without a need to manually enter credentials or distribute a certificate.
This method also allows users to authenticate to the same SSID with a username and password, however, user credentials will need to be managed from the Users page.
The following instructions explain the process to set up certificate-based authentication, both in Systems Manager, and on the MR configuration side:
Tag Relevant Devices
Providing access to the wireless network from mobile devices using this method is done via manual tags. For more information on tags, read the article on Using and Applying Tags in Systems Manager. In this case, apply the desired tag to relevant devices.
Devices must be enrolled in a Systems Manager network in the same organization as the wireless network they will be connecting to. Android devices must be running Android 4.3 or higher and have the Systems Manager app installed.
Setup the Wireless Network
Setup a wireless SSID that will be authenticated to using the SCEP certificates. This can be a new SSID, or an existing one, as long as the Association requirements are configured as below.
- Navigate to Wireless > Configure > Access control in the wireless network.
- Select the desired SSID.
- Under Network Access > Association requirements, select the option for Enterprise with Meraki Cloud authentication.
- Next to Systems Manager devices click in the text box and select the desired tag(s). Devices with ANY of the tags listed will be allowed. If the organization has multiple Systems Manager networks, the network name will precede the tag.
- Optionally, perform any additional configuration for this SSID as needed.
- Click Save Changes.
Please allow time for the automatic profile and certificate to be pushed down to the tagged devices before connecting to the SSID. Devices must be online and able to check-in with Systems Manager in order to receive updates.
Confirm Profile on Devices
On each device with the relevant tag, a Profile called Meraki Wifi will be applied to the device. This can be seen on the client details page in Systems Manager.
This can also be confirmed on the device. For iOS devices look under General > Device Management > Meraki Management > More Details. There should be a WIFI NETWORKS entry for the SSID (in this case, Meraki-Cert) and one under DEVICE IDENTITY CERTIFICATES titled "WiFi SCEP Certificate".
For Android devices, open the Systems Manager app, and confirm that a profile exists for "Meraki Wifi". The Systems Manager app is required for this functionality.
To remove a client device's access to the wireless network via certificate, either: