Skip to main content

 

Cisco Meraki Documentation

Certificate Requirements for TLS

Transport Layer Security (TLS) is used to encrypt communication between Cisco Meraki devices and a Domain Controller or identity server (running Active Directory or LDAP services). TLS is a prerequisite to the following configurations:

  • Active Directory-based group policy mappings
  • Client VPN authentication with Active Directory (applies to L2TP and AnyConnect)
  • Splash Page authentication with Active Directory
  • Local authentication - MR 802.1x
  • MS-CHAPv2 with RADIUS

To use TLS, a certificate with the appropriate parameters must be installed on the Domain Controller. This article outlines the necessary certificate parameters for TLS.

Adding a Certificate

Though an existing certificate can be modified to meet the parameters outlined below, a self-signed certificate can easily be configured and used for TLS.

It is important to remember that self-signed certificates are not recommended for production environments. A Certificate Authority (CA) signed certificate is more secure and is considered best practice.

 

For RADIUS servers or other identity providers, please refer to your server provider's documentation for configuration steps.

Configuring a Certificate for TLS

The following notes describe certificate parameters used in Windows Server, but can be generalized for any certificate's parameters.

Under the General tab, check for the following attributes:

  • The server must have the corresponding private key. To verify that the private key exists, view the General tab of the certificate and verify that you see the following message: "You have a private key that corresponds to this certificate".
  • Verify that the following statement appears: "This certificate is intended for the following purpose(s): Proves your identity to a remote computer". 
  • Check that the certificate is still valid, based on the "Valid from" values.

General tab for certificate shows "This certificate is intended for the following purpose(s): Proves your identity to a remote computer". and "You have a private key that corresponds to this certificate". Valid from and to dates are shown.

 

Under the Details tab:

  • The Version value must contain "v3", indicating that it is an X.509 Version 3 certificate.

Details tab shows version field selected, with "V3" as the value.

 

  • The Enhanced Key Usage value must contain the Server Authentication certificate purpose (OID "1.3.6.1.5.5.7.3.1").

Details tab Enhanced Key Usage field has value including server authentication (1.3.6.1.5.5.7.3.1).

 

  • The Subject value must contain the Fully Qualified Domain Name of the RADIUS server or Active Directory server, e.g. myserver.mydomain.com. 
  • The Public key value should be set to "RSA (2048 Bits)".

Details tab Subject field shows example value of "CN=dc1.meraki.local". Public key field shows value of RSA (2048 Bits).

 

  • The "Subject Alternative Name" value must contain the syntax "DNS Name=myserver.mydomain.com" where the the DNS name is the Fully Qualified Domain Name of your server. This is especially important when using an Active Directory-based PKI.

Details tab Subject Alternative Name field shows example value of "DNS Name=dc1.meraki.local".

 

  • The Key usage must contain the "Digital Signature" and "Key Encipherment" values.
    Note: In Server 2012, this option may be available as "Data Encipherment."

Details tab Key Usage field shows value containing Digital Signature, Key Encipherment.

Additional Resources

For more information on digital certificates, please see Microsoft's KB regarding Certificate requirements when you use EAP-TLS or PEAP with EAP-TLS.

For a general understanding of EAP-TLS or PEAP, please refer to documentation about the Extensible Authentication Protocol.

  • Was this article helpful?