Skip to main content
Cisco Meraki Documentation

Certificate-based Wi-Fi authentication with Systems Manager and Meraki APs

Systems Manager can be used with Cisco Meraki wireless networks to easily deploy certificate-based (EAP-TLS) authentication to iOS, Android, OS X, and Windows clients. This is ideal for customers that want to seamlessly and securely (using WPA2) authenticate users while avoiding the additional requirements of an external RADIUS server. This article will cover an example of how to implement this solution.

How it Works

Each device enrolled in Systems Manager is given a unique SCEP certificate. When configured as shown below, this certificate is used by the Cisco Meraki access points to authenticate the device. All completed automatically in the background without a need to manually enter credentials or distribute a certificate.

 

This method also allows users to authenticate to the same SSID with a username and password, however, user credentials will need to be managed from the Users page.

Authenticating using the username and password

Configuring

The following instructions explain the process to set up certificate-based authentication, both in Systems Manager, and on the MR configuration side:

Tag Relevant Devices

Providing access to the wireless network from mobile devices using this method is done via manual tags. For more information on tags, read the article on Using and Applying Tags in Systems Manager. In this case, apply the desired tag to relevant devices.

 

Devices must be enrolled in a Systems Manager network in the same organization as the wireless network they will be connecting to. Android devices must be running Android 4.3 or higher and have the Systems Manager app installed.

Setup the Wireless Network

Setup a wireless SSID that will be authenticated to using the SCEP certificates. This can be a new SSID, or an existing one, as long as the Association requirements are configured as below. 

 

  1. Navigate to Wireless > Configure > Access control in the wireless network.
  2. Select the desired SSID.
  3. Under Security, select the option for Enterprise with Meraki Cloud authentication.
    Selecting Meraki Cloud Authentication
     
  4. Below the SM Sentry Wi-Fi click Add Sentry Network and select the desired Network, Scope, and Tag(s). Devices with ANY of the tags listed will be allowed. If the organization has multiple Systems Manager networks, the network name will precede the tag.
    Adding Sentry network
  5. Optionally, perform any additional configuration for this SSID as needed.
  6. Click Save Changes.

Please allow time for the automatic profile and certificate to be pushed down to the tagged devices before connecting to the SSID. Devices must be online and able to check-in with Systems Manager in order to receive updates.

Confirm Profile on Devices

On each device with the relevant tag, a Profile called Meraki Wifi will be applied to the device. This can be seen on the client details page in Systems Manager. 

Confirming profiles on devices

This can also be confirmed on the device. For iOS devices look under General > Device Management > Meraki Management > More Details. There should be a WIFI NETWORKS entry for the SSID (in this case, Meraki-Cert) and one under DEVICE IDENTITY CERTIFICATES titled "WiFi SCEP Certificate".

Wi-Fi networks

Device identity certificates

For Android devices, open the Systems Manager app, and confirm that a profile exists for "Meraki Wifi". The Systems Manager app is required for this functionality.

Systems Manager status

Disallowing Access

To remove a client device's access to the wireless network via certificate, either:

  • Was this article helpful?