Skip to main content
Cisco Meraki Documentation

Configuring EAP-TLS Wireless Authentication with Systems Manager Sentry Wifi

Systems Manager Sentry Wi-Fi security provides automatic certificate-based EAP-TLS configuration in just a few clicks, eliminating the need for the use of a certificate authority (CA) and the additional management required for each device and user.

We cannot simultaneously support third-party-signed SCEP CA certs and Sentry Wifi. This means third-party-signed SCEP CA certs are not compatible with Sentry Authentication. 

This article outlines how to integrate SM Sentry with Cisco Meraki MR access points for EAP-TLS wireless authentication.

Use Case

Commonly, network administrators want to configure different settings for corporate owned devices, employee owned devices, and guests. Each group of users will likely have their own separate SSID, with an additional SSID for onboarding:

SSID

Use Case

Default SSID Policy

Corp

Corporate-owned devices only

Full access on Corporate VLAN

BYOD

Employee-owned devices

Limited Corporate access

Some apps optionally limited

Higher bandwidth than Guest

Guest

All others

Filtered Internet

Rate limit

No corporate devices

Corp-onboarding

Onboarding to Corp network only

Restricted to onboarding

Configuring EAP-TLS using Systems Manager Sentry WiFi Security

The following instructions explain how to apply EAP-TLS wireless access to corporate-owned devices tagged as "Corp" in our example Systems Manager network.

  1. In Dashboard, navigate to Wireless > Configure > SSID and enable/name each SSID.
    The example image below shows four SSIDs: SL-corp, SL-byod, SL-guest and SL-corp-onboarding:
    clipboard_edab64f3dfa0bf435a1e2236963e70b13.png
  2. Navigate to Wireless > Configure > Access Control:
    clipboard_e5f317c46634f815092f1c2b9d04b15b0.png

     
  3. Select the device tags to be associated with EAP-TLS. This automatically creates a Systems Manager profile for the SL-corp SSID to use EAP-TLS and installs a client certificate from the Dashboard for each client (this profile will appear under Systems Manager > Manage > Settings). Note that wireless authentication settings should be provisioned from either the SSID side, as described in this article, or the MDM profile side in Systems Manager > Manage > Settings and not both.

clipboard_e6d7527cf17f3f6aa7c3f4191bb4d8627.png

  1. Click Save Changes. EAP-TLS is now configured for all devices tagged corp in Systems Manager.EAP4.png

Sentry WiFi Device Operating System Compatibility

Operating System Sentry WiFi Supported
iOS  Yes
macOS Yes
tvOS No
Windows 10/11

Yes1

Android

Yes2

Samsung Knox 3.0+

Yes3 
Chrome OS No

1. Local user accounts only. In a multi-user environment on a single device the Sentry WiFi profile may need to be pushed for each user.   Users must be logged in to associate to Sentry WiFi SSID.

2. A passcode is required on the device while in Knox mode.  

Certificate-based WiFi authentication with Systems Manager and Meraki APs

Systems Manager can be used with Cisco Meraki wireless networks to easily deploy certificate-based (EAP-TLS) authentication to iOS, Android, OS X, and Windows clients. This is ideal for customers that want to seamlessly and securely (using WPA2) authenticate users while avoiding the additional requirements of an external RADIUS server. This article will cover an example of how to implement this solution.

How it Works

Each device enrolled in Systems Manager is given a unique SCEP certificate. When configured as shown below, this certificate is used by the Cisco Meraki access points to authenticate the device. All completed automatically in the background without a need to manually enter credentials or distribute a certificate.

 

This method also allows users to authenticate to the same SSID with a username and password, however, user credentials will need to be managed from the Users page.

a8efbe60-a83c-4ee1-a6da-23457ffd9fcc

Configuring

The following instructions explain the process to set up certificate-based authentication, both in Systems Manager, and on the MR configuration side:

Tag Relevant Devices

Providing access to the wireless network from mobile devices using this method is done via manual tags. For more information on tags, read the article on Using and Applying Tags in Systems Manager. In this case, apply the desired tag to relevant devices.

 

Devices must be enrolled in a Systems Manager network in the same organization as the wireless network they will be connecting to. Android devices must be running Android 4.3 or higher and have the Systems Manager app installed.

Setup the Wireless Network

Setup a wireless SSID that will be authenticated to using the SCEP certificates. This can be a new SSID, or an existing one, as long as the Association requirements are configured as below. 

 

  1. Navigate to Wireless > Configure > Access control in the wireless network.
  2. Select the desired SSID.
  3. Under Security, select the option for Enterprise with Meraki Cloud authentication.
    clipboard_e04a9bed54221c2af3b5839baadc687a0.png
     
  4. Below the SM Sentry Wi-Fi click Add Sentry Network and select the desired Network, Scope, and Tag(s). Devices with ANY of the tags listed will be allowed. If the organization has multiple Systems Manager networks, the network name will precede the tag.
    clipboard_e00758871eab5fe658b77e59530a6642a.png
  5. Optionally, perform any additional configuration for this SSID as needed.
  6. Click Save Changes.

Please allow time for the automatic profile and certificate to be pushed down to the tagged devices before connecting to the SSID. Devices must be online and able to check-in with Systems Manager in order to receive updates.

Confirm Profile on Devices

On each device with the relevant tag, a Profile called Meraki Wifi will be applied to the device. This can be seen on the client details page in Systems Manager. 

2017-07-20 09_00_31-Clients - Meraki Dashboard.png

This can also be confirmed on the device. For iOS devices look under General > Device Management > Meraki Management > More Details. There should be a WIFI NETWORKS entry for the SSID (in this case, Meraki-Cert) and one under DEVICE IDENTITY CERTIFICATES titled "WiFi SCEP Certificate".

ea7e18f4-bfe6-4b76-9914-6b0cf67299b2

7a42e9f3-ddfa-43a1-a895-510a4da57ba9

For Android devices, open the Systems Manager app, and confirm that a profile exists for "Meraki Wifi". The Systems Manager app is required for this functionality.

d1d57c9a-6d11-4496-894c-43e7223e11a0

Disallowing Access

To remove a client device's access to the wireless network via certificate, either: