Home > Wireless LAN > Encryption and Authentication > Configuring Clients for 802.1X and Meraki-hosted RADIUS

Configuring Clients for 802.1X and Meraki-hosted RADIUS

Windows 10

The following steps will configure a Windows 10 client to use 802.1X with Meraki-hosted RADIUS (NOTE:  these are instructions for the 802.1X with Meraki-hosted RADIUS only.  Customer-based RADIUS server configuration requirements are specific to the customer's own RADIUS server and can vary widely):

  1. Click the "Start" menu
  2. Navigate to Settings (Gear Icon) > Network & Internet > Wi-Fi > Manage Known Networks
  3. Click 'Network and Sharing Center'
  4. Select 'Set up a new connection or network'
  5. Select 'Manually connect to a wireless network'
  6. Enter the SSID name in the 'Network name:' field
  7. Select 'WPA2-Enterprise' in the 'Security type:' drop down
  8. Select your encryption type from the 'Encryption type' drop down
  9. Click 'Next'
  10. When 'Successfully added' appears click 'Change connection settings'
  11. Select the 'Security' tab
  12. Click the 'Advanced settings' button
  13. On the '802.1x settings' tab, check the box 'Specify authentication mode' and choose 'User Authentication' from the drop down
  14. Click 'OK'
  15. Back on the 'Security' tab, make sure 'Choose a network authentication method' is set to 'EAP (PEAP)' and then click the 'Settings' button
  16. Click 'OK'
  17. For 'Protected EAP Properties' uncheck 'Validate server certificate' or if you choose to validate server certificate make sure 'Go Daddy Class 2 Certification Authority' and/or 'http://valicert.com' is checked in the 'Trusted Root Certification Authorities' list.
  18. Click the 'Configure' button
  19. Uncheck 'Automatically use my Windows logon name'
  20. Click 'OK' to close all the open dialog boxes

Apple macOS

The following steps will configure a macOS client to use 802.1X with Meraki-hosted RADIUS (NOTE:  these are instructions for the 802.1X with Meraki-hosted RADIUS only.  Customer-based RADIUS server configuration requirements are specific to the customer's own RADIUS server and can vary widely):

  1. Go to System Preferences => Network => AirPort => Advanced => 802.1X
  2. Click the "+" button in the lower left corner of the screen to add a new user profile
  3. Enter your user name and password given to you by your network administrator into the fields to the right.
  4. Select your network from the drop down list of menus
  5. Make sure TTLS and PEAP checkboxes are selected
  6. Click "OK"
  7. You should now be able to connect to the network.

Android

The following steps will configure an Android client to use 802.1X with Meraki-hosted RADIUS (NOTE: these are instructions for the 802.1X with Meraki-hosted RADIUS only.  Customer-based RADIUS server configuration requirements are specific to the customer's own RADIUS server and can vary widely):

  1. Go to Settings > Wi-Fi
  2. Open the options menu by clicking the context menu button: context_menu_android.png 

Note: This step may vary by device, or on tablets. The Add Wi-Fi option may not be hidden behind a context menu.

  1. Select Add Wi-Fi
  2. Enter the Network SSID name and choose 802.1x EAP from the Security drop-down menu
  3. Choose PEAP from the EAP method drop-down menu
  4. Choose MSCHAPV2 from the Phase 2 authentication drop-down menu
  5. Enter the domain and username in the Identity field. Use the domain/username format
  6. Enter the password for the corresponding username in the password field
  7. Optionally, check the Show Password check-box to verify that the password was entered correctly
  8. Press Save in order to save the changes

Windows 8

Unlike previous versions of the OS, Windows 8 will not attempt to automatically use local credentials for wireless connections. As such, associating with an 802.1x-protected SSID consists of simply connecting to the network, as outlined below:

  1. Navigate to the Desktop.
  2. Select the wireless network icon on the lower-right hand of the screen.
  3. Select the intended SSID on the right.
  4. Check/uncheck the Connect automatically option as intended, and press Connect.
  5. Enter the email address and password of the Meraki RADIUS user, in the User name and Password fields respectively.
  6. Select Connect.
  7. If prompted about a certificate warning, select Connect again.

Windows Vista

The following steps will configure a Windows Vista client to use 802.1X with Meraki-hosted RADIUS (NOTE:  these are instructions for the 802.1X with Meraki-hosted RADIUS only.  Customer-based RADIUS server configuration requirements are specific to the customer's own RADIUS server and can vary widely):

  1. Go to Start and enter "Network and Sharing Center".
  2. Click "Set up a connection or network".
  3. Click "Manually connect to a wireless network".
  4. Enter the SSID (case sensitive).
  5. Choose WPA2-Enterprise and AES.
  6. Check "Start this connection automatically" and "Connect even if the network is not broadcasting" (for hidden SSIDs).
  7. On the next screen, choose "Change connection settings".
  8. On the Connection tab, check only the boxes "Connect automatically when this network is in range" and "Connect even if the network is not broadcasting" (for hidden SSIDs).
  9. On the Security tab, make sure "WPA2-Enterprise" and "AES" are selected as well as "Microsoft: Protected EAP (PEAP)". Click Settings.
  10. Uncheck "Validate server certificate".
  11. Click "Configure" and uncheck "Automatically use my Windows logon name and password (and domain if any)". Click OK three times.
  12. Now click "Connect to network", select your SSID from the list, and "Enter/select additional log on information".
  13. Here you enter the username and password which are configured on the Configure->Users page on the dashboard. Click OK.
  14. You should now be successfully connected.

Windows 7

The following steps will configure a Windows 7 client to use 802.1X with Meraki-hosted RADIUS (NOTE:  these are instructions for the 802.1X with Meraki-hosted RADIUS only.  Customer-based RADIUS server configuration requirements are specific to the customer's own RADIUS server and can vary widely):

  1. Click the "Start" menu. 
  2. Navigate to Control Panel>Network and Internet>Network and Sharing Center>Manage Wireless Networks.
  3. Click "Add".
  4. Select "Manually create a network profile".
  5. Enter the SSID name in the "Network name:" field.
  6. Select "WPA2-Enterprise" in the "Security type:" drop down.
  7. Select your encryption type from the "Encryption type" drop down.
  8. Click "Next".
  9. When "Successfully added" appears "Click Change connection settings".
  10. Select the "Security" tab.
  11. Click the "Advanced settings" button.
  12. On the "802.1x settings" tab, check the box "Specify authentication mode" and choose "User Authentication" from the drop down.
  13. Click "OK".
  14. Back on the "Security" tab, make sure "Choose a network authentication method" is set to "EAP (PEAP)" and then click the "Settings" button.  
  15. For "Protected EAP Properties" uncheck "Validate server certificate" or if you choose to validate server certificate make sure "Go Daddy Class 2 Certification Authority" and/or "http://valicert.com" is checked in the "Trusted Root Certification Authorities" list.
  16. Click the "Configure" button.
  17. Uncheck "Automatically use my Windows logon name".
  18. Click "OK" to close all the open dialog boxes.

Windows XP

The following steps will configure a Windows XP client to use 802.1X with Meraki-hosted RADIUS (NOTE:  these are instructions for the 802.1X with Meraki-hosted RADIUS only.  Customer-based RADIUS server configuration requirements are specific to the customer's own RADIUS server and can vary widely):

  1. Switch to a network other than the one you want to configure (otherwise Windows will not retain your changes).
  2. Go to Control Panel -> Network Connections -> Wireless Network Connection
  3. Click on Properties, go to "Wireless Networks" tab
  4. Find the network name under the "Preferred Networks" list, click Properties, click Authentication tab.
  5. For "EAP type", choose PEAP. (The default is "smart card or other certificate" which will not work).
  6. Still on the Authentication tab, uncheck the "Authenticate as computer when computer information is available" box.
  7. Click Properties under PEAP.
  8. Under 'Trusted Root Certification Authorities', scroll down to "UTN-USERFirst-Hardware" and check that box.
  9. Still under 'Trusted Root Certification Authorities', scroll down to "Go Daddy Class 2 Certification Authority" and/or "http://www.valicert.com" and check those boxes.
  10. Make sure the "do not prompt user to authorize new servers...." box is unchecked.
  11.  Under "select authentication method", make sure that "EAP-MSCHAPv2" is selected. Click the "configure" button next to it, and uncheck the "Automatically use my Windows logon name..." box.
  12. Click OK to close all the open dialog boxes.
You must to post a comment.
Last modified
14:46, 18 Sep 2017

Tags

Classifications

This page has no classifications.

Article ID

ID: 2115

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community