Meraki Trusted Access is an easy, secure way to connect iOS, iPadOS, macOS, and Android devices to Meraki MR wireless networks without enrolling the device into Systems Manager. It provides simple, secure certificate-based EAP-TLS authentication, eliminating the need to setup a certificate authority (CA) or RADIUS server.
Once you have defined which users can have access to your network, they will be able to download the configuration profile needed to join the SSID from a self-service portal using the authentication method you’ve defined for the network.
Trusted Access Configuration Overview and Process Flow
A network with a Meraki MR wireless access point.
A network with SM licenses in the same org as the MR. One SM license will be consumed for each Trusted Access device.
To set up Trusted Access, you will have to toggle the relevant configurations in the dashboard, and scope a Trusted Access WiFi configuration that users can download when logging into the Self-Service Portal (SSP).
In this guide, we will scope a configuration to all users on the network, but you can use tags to scope access more granularly.
Step 1: Enable Authentication, SSP and Trusted Access
First, set your authentication settings. In your Meraki dashboard, navigate to Systems Manager > Configure > General. The first required configuration on this page is User authentication settings:
The currently supported authentication types are: Managed: Meraki hosted accounts and Active Directory: Use your own Active Directory server. Trusted Access is not currently fully supported on networks using a Google (non-Meraki managed) Domain for Android Enterprise.
Next, you will have to enable client access to the Self Service Portal. Under Self Service Portal settings, enable Network-wide access for the Self-Service Portal, and set new user access to Default grant:
At this stage, take note of the Portal Link URL for your network. This is the URL to the Self-Service Portal that will be used in the "User Access" portion of this guide.
Finally, you'll now see the option to enable new user access and default device limit for Trusted Access just below the SSP settings. Set new user access to default grant, and the device limit to the number of devices you'd like users on your network to be able to add by default.
Note: The device limit number can be manually overwritten for an individual user in the Systems Manager > Owners page. You can also override SSP or Trusted Access permissions on a per-user basis.
Step 2: Create and configure a Trusted Access SSID
In your MR wireless network dashboard, go to Wireless > Configure > SSIDs. Enable and name a new SSID to be used for Trusted Access, or select an existing one.
Underneath your new or existing SSID, click "edit settings", which will take you to the SSIDs Access control page.
On the Access control page, under Network access, select "WPA-2 Enterprise with [Meraki authentication]". This is the required form of authentication for Trusted Access:
Next, ensure "Splash Page" is set to "None (direct access)":
In the next section, enable "Systems Manager Trusted Access":
Next, you will need to add a Trusted Access config that allows all users connecting to this SSID to access the network. Click the + Add config button to open the configuration modal:
In this window, you will set the name of your profile (which will be visible to end users), the Systems Manager network you'd like to grant them access to, the duration of access (which begins when they add a device), and the scope of which users this configuration will apply to.
For the purposes of this setup, you are scoping to all users, but you can scope access based on owner tags, the same as you'd use tag scoping in other parts of SM. Keep in mind that this supports only owner tags, because Trusted Access is owner-based.
After you are done setting these configurations, click "Apply changes", and your new config will appear in a table as seen below:
Finally, click "Save changes" at the bottom of the page.
Step 3: Provisioning Owner Access
Next, you will have to provision access to owners (users) on your network to use Trusted Access. This can be done in a couple of ways.
If a new user logging into the network for the first time belongs to the Active Directory domain associated with Systems Manager enrollment authentication on your network, they will automatically be granted the default access and device limit per the settings in Step 1 above.
For existing owners in your Systems Manager network, you'll have to provision access via the Systems Manager > Owners page before they are able to use Trusted Access. This can be done individually by clicking the owner to open their edit modal, toggling both the SSP and Trusted Access, setting a device limit, and clicking "Apply options":
Note: A list of all Trusted Access devices for a specific owner can be found by navigating to Systems Manager > Owners then selecting the desired owner to view the Trusted Access devices section at the bottom of the Owner details window (displayed in the screenshot above).
This process can also be done in bulk. Select multiple owners from the Owners table, then click the Edit button. From the menu, enable both the SSP and Trusted Access, set a device limit, and click "Apply options":
The selected owners will now be able to use their credentials to log in to the Self-Service Portal and add Trusted Access devices.
Next, we will log in to the Self-Service Portal on the device you'd like to connect to the network. Using an owner that has been granted Trusted Access in Step 3 above, add a new Trusted Access device, and download a mobile config that will allow us to connect to the Trusted Access enabled SSID.
Go to the link from Step 1, or go to https://portal.meraki.com and enter your network ID or network enrollment string, which will take you to the login page. Enter the username and password for a user you provisioned Trusted Access for in Step 3.
Upon logging in, since this user does not yet have any Trusted Access devices, you will see the "Add a device" page:
Enter a device name, select a device type (Mac or iPhone/iPad), and click "Add Device". The device will be added, and you will be forwarded to the device page which includes all profiles which are in scope for this device:
Click "Download config" for the desired profile, and you will be taken to the instruction page for your selected platform. Follow the instructions on this page to finish installing the Trusted Access profile:
After you are done, selecting "Finish" will take you back to the device page.
Your device should now be able to connect to the Trusted Access SSID, using secure EAP-TLS cert-based authentication.
1. After signing into portal.meraki.com, tap on an available Trusted Access configuration.
2. A profile (.mobileconfig) will automatically download. Press "Allow" to allow it to download onto your device.
3. Tap "Close" in the "Profile downloaded" alert window. Now we need to open up the Settings app to actually install this profile on the device.
4. In the Settings app, find the "Profile Downloaded" section.
Note: if the .mobileconfig is not installed within 10 minutes, it may be removed from this section and need to be re-downloaded from portal.meraki.com.
5. The profile contains a Wi-Fi Network, Device Identity Certificate, and a Certificate. Tap Install on the top right. The end user will be prompted to type in their passcode.
Now this device has access to the Trusted Access SSID for the configured time of the Trusted Access config. The user will be able to see this profile installed locally on their device in Settings > General > VPN & Device Management.
1. After selecting Android as the device type, you will be prompted to install the Meraki Trusted Access app. Once installed, click Add device.
2. This will bring you to the Trusted Access app with the network ID pre-populated. If it is blank, please enter your network ID or enrollment string and select Continue.
3. Enter login credentials and select Login.
4. Provide a name for the device and select Enroll device.
5. The device should now automatically download the Trusted Access profile.