WPA/WPA2 Enterprise with Certificate Authentication

vmadriga
Conversationalist

WPA/WPA2 Enterprise with Certificate Authentication

Hi all,

 

I am configuring the authentication settings on a WiFi profile to push it to mobile devices and I want to use certificate based authentication. I need that the identity certificate distributed to the mobile device includes the username as the CN. Is it a requirement for this to work to integrate the Active Directory into the Systems Manager? Right now I am using local users defined on the "Owners" page and the certificates pushed to the mobile devices does not have the username as the CN in the identity certificate, I am assuming that the username defined in the "Owners" page will be used as the CN but I am not sure if this is correct. 

 

Any comments are really appreciated.

3 REPLIES 3
Inderdeep
Kind of a big deal

Re: WPA/WPA2 Enterprise with Certificate Authentication

@vmadriga : Not sure if these links will help you what you want 

 

Certificate-based authentication using EAP-TLS supported by the Meraki platform
 
EAP-TLS Configuration and Best practice
 
Creating a Policy in Network Policy Server to support EAP-TLS authentication
Regards
Inderdeep Singh
www.thenetworkdna.com
PaulF
Meraki Employee

Re: WPA/WPA2 Enterprise with Certificate Authentication

So, there's a few things to address here:

 

1. In order to have a username, you have to have a user. This can be meraki hosted, AD, Azure, Google, OpenID Connect, etc. When the user enrolls, if it's not a meraki hosted user, the user appears in the Owners List

Screen Shot 2021-04-22 at 10.59.51 AM.png

(You'll note the difference between username and email address)

 

2. Secondly the naming of the cert is completely up to you. When creating a SCEP policy, you can use various bits of dynamic text, such as:

Screen Shot 2021-04-22 at 10.57.41 AM.png

Example:

Screen Shot 2021-04-22 at 10.57.51 AM.png

 

I hope that helps

 

Paul

vmadriga
Conversationalist

Re: WPA/WPA2 Enterprise with Certificate Authentication

Thanks Paul,

 

I did some testing and created a new SCEP certificate specifying the username as the CN:

 

vmadriga_0-1619128877546.png

and then I specify this new SCEP into the Wifi Configuration:

 

vmadriga_1-1619128932564.png

When I enroll the device now I have one certificate installed with the CN field populated with the username specified on the Owners list, however on the Wifi profile installed on the device there is no user certificate configured on the profile.

 

If I select the default SCEP under Wifi settings and select "Use username as certificate CN" :

 

vmadriga_2-1619129207081.png

 

I do get a user certificate on the Wifi Profile on the mobile device however this user certificate does not include the username in the CN field, it contains a random number instead.

 

Is there a document that explains how SCEP policies are applied to Wifi settings and how to specify that the CN field contains the username for the default SCEP?

 

Any comments are really appreciated.

 

 

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels