Skip to main content
Cisco Meraki Documentation

Trusted Access for Secure Wireless Connectivity - Setup Guide

  1. Last updated
  2. Save as PDF

Overview 

Meraki Trusted Access is a simple and secure way to join phones, tablets, and laptops to Meraki MR wireless networks using certificate-based 802.1x authentication without enrolling the device into an MDM platform like Meraki Systems Manager. Trusted Access eliminates the management overhead associated with building and maintaining an on-premise 802.1x EAP-TLS solution for wireless access with distributed Certificate Authority (CA) and RADIUS server environments.   

Trusted Access is currently supported on the following operating systems:

  • iOS/iPadOS 11+
  • macOS 10.13+
  • Android 10+ (beta using Hotspot 2.0/Passpoint)
  • Windows 10+ (beta app)

Follow this guide to setup Trusted Access in a Meraki network.  

Trusted Access Configuration Overview and Process Flow

Meraki MR network administrators create Trusted Access profiles in the Meraki Dashboard to define access to the wireless network. End users can then log into the Meraki Self-Service Portal using their available authentication credentials to download a configuration profile to their devices to join the SSID.

See the following diagram for a complete admin and user configuration process flow description.

Screen Shot 2019-11-18 at 9.55.38 AM.png

Requirements

  • A network with a Meraki MR wireless access point.

  • A network with SM licenses in the same org as the MR. One SM license will be consumed for each Trusted Access device.

Step 1: Enable Authentication, SSP, and Trusted Access

  1. In the Meraki dashboard, navigate to Systems Manager > Configure > General
    clipboard_e2e9d60b01d7f8b4118a459a698750641.png
  2. Navigate to the User authentication settings section. Select your preferred end-user authentication method from the drop-down list provided.  To learn more about user authentication options check out this KB article.image10.png
  3. Navigate to the Self Service Portal settings section. Change the Self service Portal option to Enable SSP for this network.
    Screen Shot 2021-01-14 at 12.13.21 PM.png
  4. If you would like to allow all newly created users to automatically have access to the Self Service Portal, change the New User Access mode to Default grant.
  5. Take note of the Portal Link URL for your network. End users will need to visit this URL to set up and manage their Trusted Access devices.
  6. Navigate to the Trusted Access settings section. 
    clipboard_e62abd555bbb7d517eb74ea461b5b9b7a.png
  7. If you would like to allow all newly created users to automatically be enabled with rights to use Trusted Access, change the New User Access mode to Default grant. 
  8. Set a Default device limit to limit the number of devices a user may register with Trusted Access.  The max limit is 10 devices.

Note: The Trusted Access usage permission and device limit can be manually overwritten on a per-user basis in the Systems Manager > Owners page for an individual user.

  1. In the bottom right corner of the page, click Save to confirm your changes.
    clipboard_e22ee977f76b14aa1ee96ca84cdc42292.png

Step 2: Create and Configure a Trusted Access SSID

  1. In your MR wireless network dashboard, navigate to Wireless > Configure > SSIDs.
    clipboard_ecba7bbbf070aefdaccfa310fdca3a802.png
  2. Choose an SSID to be used for Trusted Access. Click edit settings to take you to the SSID's Access control page. Screen Shot 2019-10-18 at 4.37.58 PM.png
  3. Under the Security section, select Enterprise with Meraki Cloud Authentication on the Access Control page. This is the required form of authentication for Trusted Access.
  4. Click the Add config button under SM Trusted Access to open the configuration modal.
    clipboard_e0f0b45dfb8cea54b43dab6cdd4a9ee1f.png
  5. Set the Name of the configuration profile. This name will be visible to end users when configuring Trusted Access on their devices.  
  6. Choose the Systems Manager network you want users to use to register their devices when using this configuration. 
  7. Select an Access period type. 

    Static configurations require a start and end date. An end user may download a static configuration anytime, but access to the wireless network will be limited to the period between the defined dates. 
    clipboard_e08211912cf7ef24bd228028347033d28.png

    Dynamic configurations require a defined period. End users may download a dynamic configuration to access the wireless network for the time specified in the access period. The period begins when the Trusted Acc s profile is downloaded and activated on the device.
    clipboard_ed6ddad7c0880079f69aa9534c7a76f4e.png
  8. Choose a scope of tags to determine which users should have access to this configuration. For more information on how to use tags effectively, check out this KB article.  
  9. Click Add to close the configuration modal. Your new configuration will appear in the Tru ed Access configurations list, as seen in the example below:
    clipboard_e3f8cc013bed3d78fcb0c37851d516a1d.png
  10. Navigate to the Splash page section and ensure it is set to None (direct access):clipboard_e9f78be72bc76d6e324dde0e28a2b6f99.png
  11. In the bottom right corner of the page, click Save to confirm your changes.
    clipboard_e22ee977f76b14aa1ee96ca84cdc42292.png

Note: To use Trusted Access with Android Passpoint (beta), you must enable Hotspot 2.0 on the SSID.

  1. In the Meraki Dashboard, navigate to Wireless > Configure > Hotspot 2.0
    clipboard_e3392061011447a727be068d2e6e3695b.png
  2. Select the SSID from the dropdown menu
  3. Enter an Operator name and Venue name
  4. Change the Venue Type to Unspecified
  5. Change the Network type to Private network
  6. Enter radius.meraki.com in the Domain list  
    clipboard_ef453abb933805fa9a5998f7cebbecbf6.png
  7. Click Save Changes 

 

Step 3: Provision Owner Access

Next, you will have to provide access to owners (users) on your network to use Trusted Access. This can be done in a couple of ways. 

Check out this Knowledgebase article for more information about Owners, including how to create new owners.

To provide access to existing owners in your Systems Manager network:

  1. Navigate to Systems Manager > Configure > Owners 
    clipboard_ec4e2d589db825f952bfa50d565e6d90e.png
  2. Click on the owner's name to open the edit modal.
  3. Under the SSP Options section, enable the Self Service Portal and Trusted Access settings
  4. The owner will automatically inherit its Trusted Access device limit as configured in Step 1-6.  You may change the device limit as needed.  
    clipboard_ebc63a32cb60dc012c03cf7d746067206.png
  5. Click Apply changes to close the modal and save the owner configuration.

To provide access to multiple existing owners in your Systems Manager network in bulk

  1. Navigate to Systems Manager > Configure > Owners 
  2. Select the owners you would like to configure by enabling the checkmark in the first field. 
  3. Click the Edit button. From the menu, enable the Self Service Portal and Trusted Access options. Set a max device count, and click Apply optionsclipboard_ed55ac7b0beb14ba5965f585a57d1b6b8.png