Home > Enterprise Mobility Management > Other Topics > Configuring EAP-TLS Wireless Authentication with Systems Manager Sentry Wifi

Configuring EAP-TLS Wireless Authentication with Systems Manager Sentry Wifi

Systems Manager Sentry Wi-Fi security provides automatic certificate-based EAP-TLS configuration in just a few clicks, eliminating the need for the use of a certificate authority (CA) and the additional management required for each device and user.

This article outlines how to integrate SM Sentry with Cisco Meraki MR access points for EAP-TLS wireless authentication.

Use Case

Commonly, network administrators want to configure different settings for corporate owned devices, employee owned devices, and guests. Each group of users will likely have their own separate SSID, with an additional SSID for onboarding:

SSID

Use Case

Default SSID Policy

Corp

Corporate-owned devices only

Full access on Corporate VLAN

BYOD

Employee-owned devices

Limited Corporate access

Some apps optionally limited

Higher bandwidth than Guest

Guest

All others

Filtered Internet

Rate limit

No corporate devices

Corp-onboarding

Onboarding to Corp network only

Restricted to onboarding

Configuring EAP-TLS using Systems Manager Sentry WiFi Security

The following instructions explain how to apply EAP-TLS wireless access to corporate-owned devices tagged as "Corp" in our example Systems Manager network.

  1. In Dashboard, navigate to Wireless > Configure > SSID and enable/name each SSID.
    The example image below shows four SSIDs: SL-corp, SL-byod, SL-guest and SL-corp-onboarding:
  2. Navigate to Wireless > Configure > Access Control:
  3. Select the device tags to be associated with EAP-TLS. This automatically creates a Systems Manager profile for the SL-corp SSID to use EAP-TLS and installs a client certificate from the Dashboard for each client (this profile will not appear under MDM > Settings). Note that wireless authentication settings should be provisioned from either the SSID side, as described in this article, or the MDM profile side in Systems manager > MDM > Settings, and not both.

Sentry Wifi security is not to be confused with Sentry enrollment, as shown in the splash page configuration below. Sentry enrollment is typically deployed as a separate SSID (SL-corp-onboarding in this article) to initially enroll devices into Systems Manager, while Sentry security grants secure wifi access to devices already enrolled.

  1. Click Save Changes. EAP-TLS is now configured for all devices tagged corp in Systems Manager.EAP4.png

You must to post a comment.
Last modified
16:01, 2 Aug 2016

Tags

Classifications

This page has no classifications.

Article ID

ID: 5247

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community