Transport Layer Security (TLS) is used to encrypt communication between Cisco Meraki devices and a Domain Controller or identity server (running Active Directory or LDAP services). TLS is a prerequisite to the following configurations:
TLS is also a prerequisite for MS-CHAPv2 with RADIUS.
To use TLS, a certificate with the appropriate parameters must be installed on the Domain Controller. This article outlines the necessary certificate parameters for TLS.
Though an existing certificate can be modified to meet the parameters outlined below, a self-signed certificate can easily be configured and used for TLS.
It is important to remember that self-signed certificates are not recommended for production environments. A Certificate Authority (CA) signed certificate is more secure and is considered best practice.
Please refer to our documentation for instructions to add a self-signed certificate in Windows Server.
For RADIUS servers or other identity providers, please refer to your server provider's documentation for configuration steps.
The following notes describe certificate parameters used in Windows Server, but can be generalized for any certificate's parameters.
Under the General tab, check for the following attributes:
Under the Details tab:
For more information on digital certificates, please see Microsoft's KB regarding Certificate requirements when you use EAP-TLS or PEAP with EAP-TLS.
For a general understanding of EAP-TLS or PEAP, please refer to documentation about the Extensible Authentication Protocol.