WPA/WPA2 Enterprise with Certificate Authentication

vmadriga
Conversationalist

WPA/WPA2 Enterprise with Certificate Authentication

Hi all,

 

I am configuring the authentication settings on a WiFi profile to push it to mobile devices and I want to use certificate based authentication. I need that the identity certificate distributed to the mobile device includes the username as the CN. Is it a requirement for this to work to integrate the Active Directory into the Systems Manager? Right now I am using local users defined on the "Owners" page and the certificates pushed to the mobile devices does not have the username as the CN in the identity certificate, I am assuming that the username defined in the "Owners" page will be used as the CN but I am not sure if this is correct. 

 

Any comments are really appreciated.

2 REPLIES 2
PaulF
Meraki Employee
Meraki Employee

So, there's a few things to address here:

 

1. In order to have a username, you have to have a user. This can be meraki hosted, AD, Azure, Google, OpenID Connect, etc. When the user enrolls, if it's not a meraki hosted user, the user appears in the Owners List

Screen Shot 2021-04-22 at 10.59.51 AM.png

(You'll note the difference between username and email address)

 

2. Secondly the naming of the cert is completely up to you. When creating a SCEP policy, you can use various bits of dynamic text, such as:

Screen Shot 2021-04-22 at 10.57.41 AM.png

Example:

Screen Shot 2021-04-22 at 10.57.51 AM.png

 

I hope that helps

 

Paul

vmadriga
Conversationalist

Thanks Paul,

 

I did some testing and created a new SCEP certificate specifying the username as the CN:

 

vmadriga_0-1619128877546.png

and then I specify this new SCEP into the Wifi Configuration:

 

vmadriga_1-1619128932564.png

When I enroll the device now I have one certificate installed with the CN field populated with the username specified on the Owners list, however on the Wifi profile installed on the device there is no user certificate configured on the profile.

 

If I select the default SCEP under Wifi settings and select "Use username as certificate CN" :

 

vmadriga_2-1619129207081.png

 

I do get a user certificate on the Wifi Profile on the mobile device however this user certificate does not include the username in the CN field, it contains a random number instead.

 

Is there a document that explains how SCEP policies are applied to Wifi settings and how to specify that the CN field contains the username for the default SCEP?

 

Any comments are really appreciated.

 

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels