Home > General Administration > Cross-Platform Content > Configuring EAP-TLS Wireless Authentication with Systems Manager Sentry Wifi

Configuring EAP-TLS Wireless Authentication with Systems Manager Sentry Wifi

Systems Manager Sentry Wi-Fi security provides automatic certificate-based EAP-TLS configuration in just a few clicks, eliminating the need for the use of a certificate authority (CA) and the additional management required for each device and user.

This article outlines how to integrate SM Sentry with Cisco Meraki MR access points for EAP-TLS wireless authentication.

Use Case

Commonly, network administrators want to configure different settings for corporate owned devices, employee owned devices, and guests. Each group of users will likely have their own separate SSID, with an additional SSID for onboarding:


Use Case

Default SSID Policy


Corporate-owned devices only

Full access on Corporate VLAN


Employee-owned devices

Limited Corporate access

Some apps optionally limited

Higher bandwidth than Guest


All others

Filtered Internet

Rate limit

No corporate devices


Onboarding to Corp network only

Restricted to onboarding

Configuring EAP-TLS using Systems Manager Sentry WiFi Security

The following instructions explain how to apply EAP-TLS wireless access to corporate-owned devices tagged as "Corp" in our example Systems Manager network.

  1. In Dashboard, navigate to Wireless > Configure > SSID and enable/name each SSID.
    The example image below shows four SSIDs: SL-corp, SL-byod, SL-guest and SL-corp-onboarding:
  2. Navigate to Wireless > Configure > Access Control:
  3. Select the device tags to be associated with EAP-TLS. This automatically creates a Systems Manager profile for the SL-corp SSID to use EAP-TLS and installs a client certificate from the Dashboard for each client (this profile will not appear under Systems Manager > Manage > Settings). Note that wireless authentication settings should be provisioned from either the SSID side, as described in this article, or the MDM profile side in Systems Manager > Manage > Settings and not both.

Sentry Wifi security is not to be confused with Sentry enrollment, as shown in the splash page configuration below. Sentry enrollment is typically deployed as a separate SSID (SL-corp-onboarding in this article) to initially enroll devices into Systems Manager, while Sentry security grants secure wifi access to devices already enrolled.

  1. Click Save Changes. EAP-TLS is now configured for all devices tagged corp in Systems Manager.EAP4.png

Sentry WiFi Device Operating System Compatibility

Operating System Sentry WiFi Supported
iOS  Yes
macOS Yes
tvOS No
Windows 10




Samsung Knox 3.0+

Chrome OS No

1. Local user accounts only. In a multi-user environment on a single device the Sentry WiFi profile may need to be pushed for each user.

2. Android 6+ in BOYD mode or Device Owner mode. Android 5 does not work with Sentry WiFi. 

3. A passcode is required on the device while in Knox mode.  


Last modified



This page has no classifications.

Explore the Product

Click to Learn More

Article ID

ID: 4247

Explore Meraki

You can find out more about Cisco Meraki on our main site, including information on products, contacting sales and finding a vendor.

Explore Meraki

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can keep track of the latest announcements, find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community