Certificate Requirements for TLS
Transport Layer Security (TLS) is used to encrypt communication between Cisco Meraki devices and a Domain Controller or identity server (running Active Directory or LDAP services). TLS is a prerequisite to the following configurations:
- Active Directory-based group policy mappings
- Client VPN authentication with Active Directory (applies to L2TP and AnyConnect)
- Splash Page authentication with Active Directory
- Local authentication - MR 802.1x
- MS-CHAPv2 with RADIUS
To use TLS, a certificate with the appropriate parameters must be installed on the Domain Controller. This article outlines the necessary certificate parameters for TLS.
Adding a Certificate
Though an existing certificate can be modified to meet the parameters outlined below, a self-signed certificate can easily be configured and used for TLS.
It is important to remember that self-signed certificates are not recommended for production environments. A Certificate Authority (CA) signed certificate is more secure and is considered best practice.
For RADIUS servers or other identity providers, please refer to your server provider's documentation for configuration steps.
Configuring a Certificate for TLS
The following notes describe certificate parameters used in Windows Server, but can be generalized for any certificate's parameters.
Under the General tab, check for the following attributes:
- The server must have the corresponding private key. To verify that the private key exists, view the General tab of the certificate and verify that you see the following message: "You have a private key that corresponds to this certificate".
- Verify that the following statement appears: "This certificate is intended for the following purpose(s): Proves your identity to a remote computer".
- Check that the certificate is still valid, based on the "Valid from" values.
Under the Details tab:
- The Version value must contain "v3", indicating that it is an X.509 Version 3 certificate.
- The Enhanced Key Usage value must contain the Server Authentication certificate purpose (OID "1.3.6.1.5.5.7.3.1").
- The Subject value must contain the Fully Qualified Domain Name of the RADIUS server or Active Directory server, e.g. myserver.mydomain.com.
- The Public key value should be set to "RSA (2048 Bits)".
- The "Subject Alternative Name" value must contain the syntax "DNS Name=myserver.mydomain.com" where the the DNS name is the Fully Qualified Domain Name of your server. This is especially important when using an Active Directory-based PKI.
- The Key usage must contain the "Digital Signature" and "Key Encipherment" values.
Note: In Server 2012, this option may be available as "Data Encipherment."
Additional Resources
For more information on digital certificates, please see Microsoft's KB regarding Certificate requirements when you use EAP-TLS or PEAP with EAP-TLS.
For a general understanding of EAP-TLS or PEAP, please refer to documentation about the Extensible Authentication Protocol.