Skip to main content

 

Cisco Meraki Documentation

Trusted Access for Secure Wireless Connectivity - Setup Guide

Overview 

Meraki Trusted Access is a simple and secure way to join phones, tablets, and laptops to Meraki MR wireless networks using certificate-based 802.1x authentication without enrolling the device into an MDM platform like Meraki Systems Manager. Trusted Access eliminates the management overhead associated with building and maintaining an on-premise 802.1x EAP-TLS solution for wireless access with distributed Certificate Authority (CA) and RADIUS server environments.   

Trusted Access is currently supported on the following operating systems:

  • iOS/iPadOS 11+
  • macOS 10.13+
  • Android 10+ (beta using Hotspot 2.0/Passpoint)
  • Windows 10+ (beta app)

Follow this guide to setup Trusted Access in a Meraki network.  

Trusted Access Configuration Overview and Process Flow

Meraki MR network administrators create Trusted Access profiles in the Meraki Dashboard to define access to the wireless network. End users can then log into the Meraki Self-Service Portal using their available authentication credentials to download a configuration profile to their devices to join the SSID.

See the following diagram for a complete admin and user configuration process flow description.

 

Trusted Access flow diagram

 

 

 

 

 

Trusted Access Config

 

 

 

  1.  SM Network enables authentication with AD or Meraki Auth.
  2. SM Network enables Self-Service portal access for new users.
  3. MR configures a Meraki Auth SSID as a Trusted Access SSID.
  4. MR generate a Trusted Access config for the SSID to be downloaded on client devices and sets a scope of which SM users receive this config.
  5. All users who should be able to use Trusted Access are given Trusted Access permissions via SM. All users that should be able to use the Self-Service portal are given SSP access via SM.

 

 

 

SSP access via SM

 

 

 

  1. Client uses unique link to access SM self-service portal.
  2. Client enters credentials configured for an SM network clients user.
  3.  Self service portal validates with SM that user is configured for Trusted Access.
  4.  (optional) SM network authenticates user credentials with active directory server.
  5.  (optional) AD server validates user authentication.
  6.   SM network authenticates users credentials. with Meraki Cloud Authentication users list.
  7.  Meraki Auth validates user authentication.
  8. SM network sends validation for user auth and sends Trusted Access config to SSP.
  9.  SSP delivers trusted access EAP-TLS cert with SSID Information to client.
  10.  Client attempts to connect to Trusted Access SSID on MR.

 

  • SSID requests
  • client cert
  • Client delivers cert

 

11. MR authenticates user credentials in cert against Meraki Cloud Authentication users list.

 

12. Meraki Auth validates user authentication.

 

13. MR acknowledges cert and user credentials and provides access to SSID.

 

Requirements

 

  • A network with a Meraki MR wireless access point.

  • A network with SM licenses in the same org as the MR. One SM license will be consumed for each Trusted Access device.

 

 

 

Step 1: Enable Authentication, SSP, and Trusted Access

 

 

 

 

 

  1. In the Meraki dashboard, navigate to Systems Manager > Configure > General
    clipboard_e2e9d60b01d7f8b4118a459a698750641.png
  2. Navigate to the User authentication settings section. Select your preferred end-user authentication method from the drop-down list provided.  To learn more about user authentication options check out this KB article.image10.png
  3. Navigate to the Self Service Portal settings section. Change the Self service Portal option to Enable SSP for this network.
    Screen Shot 2021-01-14 at 12.13.21 PM.png
  4. If you would like to allow all newly created users to automatically have access to the Self Service Portal, change the New User Access mode to Default grant.
  5. Take note of the Portal Link URL for your network. End users will need to visit this URL to set up and manage their Trusted Access devices.
  6. Navigate to the Trusted Access settings section. 
    clipboard_e62abd555bbb7d517eb74ea461b5b9b7a.png
  7. If you would like to allow all newly created users to automatically be enabled with rights to use Trusted Access, change the New User Access mode to Default grant. 
  8. Set a Default device limit to limit the number of devices a user may register with Trusted Access.  The max limit is 10 devices.

 

 

 

Note: The Trusted Access usage permission and device limit can be manually overwritten on a per-user basis in the Systems Manager > Owners page for an individual user.

 

 

 

  1. In the bottom right corner of the page, click Save to confirm your changes.
    clipboard_e22ee977f76b14aa1ee96ca84cdc42292.png

 

 

 

Step 2: Provision Owner Access

 

 

 

Next, you will have to provide access to owners (users) on your network to use Trusted Access. This can be done in a couple of ways. 

 

 

 

Check out this Knowledgebase article for more information about Owners, including how to create new owners.

 

To prvide access to existing owners in your Systems Manager network:

 

 

 

  1. Navigate to Systems Manager > Configure > Owners 
    clipboard_ec4e2d589db825f952bfa50d565e6d90e.png
  2. Click on the owner's name to open the edit modal.
  3. Under the SSP Options section, enable the Self Service Portal and Trusted Access settings
  4. The owner will automatically inherit its Trusted Access device limit as configured in Step 1-6.  You may change the device limit as needed.  
    clipboard_ebc63a32cb60dc012c03cf7d746067206.png
  5. Click Apply changes to close the modal and save the owner configuration.

 

 

 

To provide access to multiple existing owners in your Systems Manager network in bulk

 

 

 

  1. Navigate to Systems Manager > Configure > Owners 
  2. Select the owners you would like to configure by enabling the checkmark in the first field. 
  3. Click the Edit button. From the menu, enable the Self Service Portal and Trusted Access options. Set a max device count, and click Apply optionsclipboard_ed55ac7b0beb14ba5965f585a57d1b6b8.png

 

 

 

Step 3: Create and Configure a Trusted Access SSID

 

 

 

  1. In your MR wireless network dashboard, navigate to Wireless > Configure > SSIDs.
    clipboard_ecba7bbbf070aefdaccfa310fdca3a802.png
  2. Choose an SSID to be used for Trusted Access. Click edit settings to take you to the SSID's Access control page. Screen Shot 2019-10-18 at 4.37.58 PM.png
  3. Under the Security section, select Enterprise with Meraki Cloud Authentication on the Access Control page. This is the required form of authentication for Trusted Access when configuring the SSID. This setting will only affect the SSID being edited, systems manager authentication (such as Azure) can remain in use for enrollment authentication or the self service portal (enroll.meraki.com, portal.meraki.com).
  4. Click the Add config button under SM Trusted Access to open the configuration modal.
    clipboard_e0f0b45dfb8cea54b43dab6cdd4a9ee1f.png
  5. Set the Name of the configuration profile. This name will be visible to end users when configuring Trusted Access on their devices.  
  6. Choose the Systems Manager network you want users to use to register their devices when using this configuration. 
  7. Select an Access period type. 

    Static configurations require a start and end date. An end user may download a static configuration anytime, but access to the wireless network will be limited to the period between the defined dates. 
    clipboard_e08211912cf7ef24bd228028347033d28.png

    Dynamic configurations require a defined period. End users may download a dynamic configuration to access the wireless network for the time specified in the access period. The period begins when the Trusted Acc s profile is downloaded and activated on the device.
    clipboard_ed6ddad7c0880079f69aa9534c7a76f4e.png
  8. Choose a scope of tags to determine which users should have access to this configuration. For more information on how to use tags effectively, check out this KB article.  
  9. Click Add to close the configuration modal. Your new configuration will appear in the Tru ed Access configurations list, as seen in the example below:
    clipboard_e3f8cc013bed3d78fcb0c37851d516a1d.png
  10. Navigate to the Splash page section and ensure it is set to None (direct access):clipboard_e9f78be72bc76d6e324dde0e28a2b6f99.png
  11. In the bottom right corner of the page, click Save to confirm your changes.
    clipboard_e22ee977f76b14aa1ee96ca84cdc42292.png

 

 

 

Note: To use Trusted Access with Android Passpoint (beta), you must enable Hotspot 2.0 on the SSID.

  1. In the Meraki Dashboard, navigate to Wireless > Configure > Hotspot 2.0
    clipboard_e3392061011447a727be068d2e6e3695b.png
  2. Select the SSID from the dropdown menu
  3. Enter an Operator name and Venue name
  4. Change the Venue Type to Unspecified
  5. Change the Network type to Private network
  6. Enter radius.meraki.com in the Domain list  
    clipboard_ef453abb933805fa9a5998f7cebbecbf6.png
  7. Click Save Changes 

 

 

 

Note: End users will have a corresponding profile to install for Wi-Fi access (from portal.meraki.com) for each Trusted Access SSID created on a MR network. This can lead to multiple profiles for users to download for access (one for each SSID). Administrators deploying the same SSID name across various MR networks and wishing to simplify the end user's experience may consider the option of a MR Wireless template. A Wireless network template allows a single profile for users to install for Wi-Fi access while still being able to authenticate into every SSID.