FAQ: Meraki Authentication to Require TLS 1.2 or Later Version

1. What is changing?

TLS is a protocol that ensures secure communication on the internet; it is periodically updated to help meet improved security standards. In order to facilitate the provisioning of enhanced security features, we will be discontinuing support for TLS 1.0 and 1.1 when using 802.1x, and all customers will be required to upgrade, at a minimum, to TLS version 1.2.

2. When is this change taking place?

Meraki will be discontinuing support for TLS versions 1.0 and 1.1 on May 17, 2023. Wireless devices using these protocols after this date will no longer be able to authenticate with Meraki Authentication.

To help you identify devices using TLS 1.0 and 1.1, we will be conducting a test deprecation beginning at 9:00 am UTC on April 19, 2023, and ending at 9:00 am UTC on April 20, 2023. 

During this 24-hour period, your devices that use the TLS 1.0 and 1.1 protocol will become temporarily unavailable, giving you the opportunity to test your systems, upgrade your protocol, and resolve any compatibility issues before the final deprecation.

3. What is the purpose of the test deprecation?

The purpose of the 24-hour test deprecation on April 19, 2023, is to help ensure a smooth transition to TLS 1.2 or its later version(s). 

It will allow you the opportunity to identify outdated systems, promote readiness, and provide adequate time to upgrade your protocol before the final deprecation of TLS 1.0 and 1.1 on May 17, 2023.

4. What will I experience during the test deprecation?

During the test deprecation, Meraki Authentication will temporarily switch off support for TLS 1.0 and 1.1 with 802.1x. If you have any wireless devices that use these protocols, they will be unable to authenticate to the Meraki wireless network through Meraki Authentication during this period.

If all of your devices have already been upgraded to TLS 1.2 or its later version(s), you will not experience any impact on April 19, 2023 or after May 17, 2023.

5. How can my affected devices be identified?

Any wireless device that connects to Wi-Fi and uses Meraki Authentication with TLS versions 1.0 or 1.1 with 802.1x will be affected by this change, including but not limited to mobile phones, university laptops used in labs, medical devices, and wireless printers. If you experience a loss of connectivity during the test period, it may be an indication that your device is using Meraki Authentication with prior TLS versions. 

You can also run a packet capture on your Meraki access point to determine the protocol used by your wireless device. If you need assistance to run a packet capture, please contact Meraki Technical Support.

6. Do I need to take any action to maintain connectivity?

If you have devices using TLS 1.0 or 1.1 with 802.1x, you will need to upgrade your TLS protocol to version 1.2 or a later version. To determine the protocol used by your wireless device, you can run a packet capture on your Meraki access point. If you need assistance to run a packet capture, please contact Meraki Technical Support. 

The process of upgrading your devices to support TLS 1.2 will vary based on the model and type of your wireless devices. If your devices do not support the latest TLS protocol, please refer to question 9 below for alternative authentication options.

7. Can I upgrade my TLS protocol during the test deprecation? Will upgrading during the test allow my affected devices to regain connectivity before the test period is complete?

Yes, you can upgrade your TLS protocol to version 1.2 or a later version during the test period to regain connectivity to the network using Meraki Authentication. This upgrade will ensure that your devices are compatible with the new security protocol requirements.

8. What happens if no action is taken before support for TLS 1.0 and 1.1 is deprecated on May 17, 2023?

Devices that cannot support TLS 1.2 or a later version will lose network access.

If your device does not support TLS 1.2, you can either upgrade your wireless device to support TLS 1.2 or use an alternative authentication method as described in question 9 below.

If your device supports TLS 1.2, you should be able to access your wireless network using Meraki Authentication without any issues.

9. What if my devices don't support the upgraded TLS protocol?

Some older devices may not support TLS 1.2 or its later version(s). In these cases, you may need to upgrade older devices to newer models that are compatible with TLS 1.2 or its later version(s) to maintain network connectivity.

If your devices are not compatible with TLS 1.2 and you are unable to upgrade them to any newer model(s), any authentication method that does not use Meraki Authentication can be used to regain connectivity after TLS 1.0 and 1.1 have been deprecated.

Alternative authentication options:

1. You may create a different SSID and use pre-shared key (PSK) authentication. This method requires clients to enter a predefined PSK to associate with the SSID. For more information, refer to our PSK documentation. 

2. You may create a different SSID and use identity pre-shared key (iPSK) without a RADIUS server authentication. This method allows for different PSKs to be used within the same SSID without the need for a RADIUS server, and allows for different policies to be set for each PSK. For more information, refer to our iPSK documentation.

10. How often does the TLS protocol need to be upgraded?

The frequency of TLS upgrades is dependent on various factors, such as the need for security enhancements or introductions of new features. New upgrades are periodically released and it is recommended that you apply these new updates to the TLS protocol in a timely manner.

11. Where can I go if I need additional assistance?

If you have additional questions or need assistance, please contact Meraki Technical Support. 

Open a case via:

• Meraki Dashboard

• Support home page

• Call your localized support line, which can be found at the bottom of the Meraki Technical Support webpage