Configuring EAP-TLS Wireless Authentication with Systems Manager Sentry Wifi
Click 日本語 for Japanese
Systems Manager Sentry Wi-Fi security provides automatic certificate-based EAP-TLS configuration in just a few clicks, eliminating the need for the use of a certificate authority (CA) and the additional management required for each device and user.
We cannot simultaneously support third-party-signed SCEP CA certs and Sentry Wifi. This means third-party-signed SCEP CA certs are not compatible with Sentry Authentication.
This article outlines how to integrate SM Sentry with Cisco Meraki MR access points for EAP-TLS wireless authentication.
Use Case
Commonly, network administrators want to configure different settings for corporate owned devices, employee owned devices, and guests. Each group of users will likely have their own separate SSID, with an additional SSID for onboarding:
|
SSID |
Use Case |
Default SSID Policy |
|
Corp |
Corporate-owned devices only |
Full access on Corporate VLAN |
|
BYOD |
Employee-owned devices |
Limited Corporate access Some apps optionally limited Higher bandwidth than Guest |
|
Guest |
All others |
Filtered Internet Rate limit No corporate devices |
|
Corp-onboarding |
Onboarding to Corp network only |
Restricted to onboarding |
Configuring EAP-TLS using Systems Manager Sentry WiFi Security
The following instructions explain how to apply EAP-TLS wireless access to corporate-owned devices tagged as "Corp" in our example Systems Manager network.
- In Dashboard, navigate to Wireless > Configure > SSID and enable/name each SSID.
The example image below shows four SSIDs: SL-corp, SL-byod, SL-guest and SL-corp-onboarding:
- Navigate to Wireless > Configure > Access Control:
- Select the device tags to be associated with EAP-TLS. This automatically creates a Systems Manager profile for the SL-corp SSID to use EAP-TLS and installs a client certificate from the Dashboard for each client (this profile will appear under Systems Manager > Manage > Settings). Note that wireless authentication settings should be provisioned from either the SSID side, as described in this article, or the MDM profile side in Systems Manager > Manage > Settings and not both.
- Click Save Changes. EAP-TLS is now configured for all devices tagged corp in Systems Manager.
Sentry WiFi Device Operating System Compatibility
| Operating System | Sentry WiFi Supported |
| iOS | Yes |
| macOS | Yes |
| tvOS | Yes |
| Windows 10/11 |
Yes1 |
| Android |
Yes2 |
|
Samsung Knox 3.0+ |
Yes3 |
| Chrome OS | No |
1. Local user accounts only. In a multi-user environment on a single device the Sentry WiFi profile will only function successful for a single user. Users must be logged in to associate to Sentry WiFi SSID.
2. A passcode is required on the device while in Knox mode.
Certificate-based WiFi authentication with Systems Manager and Meraki APs
Click 日本語 for Japanese
Introduction
This article explains the steps to configure certificate-based (EAP-TLS) Wi-Fi authentication for iOS, Android, macOS, and Windows devices. The configuration involves Cisco Meraki Systems Manager and Cisco Meraki access points.
Devices enrolled in Systems Manager are given a unique SCEP certificate. This certificate is used by access points to authenticate the device.
Authentication occurs automatically in the background without requiring users to manually enter credentials or distribute certificates.
This method allows users to authenticate the same SSID with a username and password. However, user credentials need to be managed from the Users page.
This image shows the certificate-based authentication workflow.
Prerequisites
-
Devices must be enrolled in Systems Manager network in the same organization as the wireless network they are connected to
-
Android 4.3 or higher
-
Systems Manager app required
Step-by-step instructions
Step 1 Tag relevant devices
Providing access to the wireless network from mobile devices using this method is done via manual tags.
For more information about tags, refer to Using and Applying Tags in Systems Manager. In this case, apply the desired tag to relevant devices
Step 2 Configure the Wireless Network
Configure a wireless SSID that will use certificate-based authentication with SCEP certificates. This can be a new or existing SSID, as long as the association requirements are configured correctly.
a. Navigate to Wireless > Configure > Access control.
b. Select the desired SSID.
c. Under Security, select Enterprise with Meraki Cloud authentication.
d. Under SM Sentry Wi-Fi, click Add Sentry Network and select the desired Network, Scope, and Tag(s).
Devices with any of the configured tags are allowed to access the SSID. If the organization contains multiple Systems Manager networks, the network name appears before the tag.
f. Configure any additional SSID settings as required.
g. Click Save Changes.
Allow time for the profile and certificate to be automatically pushed to tagged devices. Devices must be online and able to check in with Systems Manager to receive updates.
Disallow Access
To remove a device’s access to the wireless network:
Verification
Confirm profile on devices
On each device with the relevant tag, a profile named Meraki Wifi is automatically applied. This can be verified from the client details page in Systems Manager.
This can also be confirmed on the device.
For iOS devices:
-
Navigate to General > Device Management > Meraki Management > More Details.
-
Verify that:
-
the configured SSID (in this case, Meraki-Cert) appears under Wi-Fi Networks
-
a certificate named Wi-Fi SCEP Certificate appears under Device Identity Certificates
For Android devices:
-
Open the Systems Manager app.
-
Verify that the Meraki Wifi profile is present.
