What is be the correct and working way to add iOS devices to a WPA2-Enterprise network using SM ?

MFuchs
Here to help

What is be the correct and working way to add iOS devices to a WPA2-Enterprise network using SM ?

I have Meraki SM and lots of iOS devices (mostly registered via DEP) in my network.

I have a WPA2-Enterprise wireless-network where i’d like to add the phones to.

Due to the problem that credentials cannot be empty from iOS 9+ on) i can not push the wireless profiles.

Hardcoding a username is not an option.

Has anyone found a way to accomplish that ?

Or how are others solving the problem with pushing wire less profiles ?

 

(Sentry is also an option but somehow does not work until now... will have to dig deeper into it...)

10 REPLIES 10
PhilipDAth
Kind of a big deal
Kind of a big deal

You could use a Systems Manager "Sentry" based WiFi system, which uses certificates, and can be automated.

https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_EAP-TLS_Wireless_Authe...

 

Failing that, don't deploy the WiFi profile.  All the user has to do is click on the WiFi network and put in their username/password.  Another option would be to deploy it with a dummy username/password.  With any luck when the device fails to authenticate it will ask the user for their username/password.

PeterJames
Head in the Cloud

Have you tried creating an Apple Configurator profile and uploading that to Meraki as as file? The file Apple Configurator creates will be XML that can be edited - Random Github example  😄

 

It only needs to contain your Wi-Fi. You can can then use other profiles for everything else.

 

example32.PNG


Thank you,
Peter James

For the Apple Configurator profile i need to use a MAC computer, correct ?
Or do i have the chance to create a mobileconfig on Windows...
I'd expect to get it working on Meraki alone 😉

so what i would expect is:

 

I have some SCEP CA that hands out certificates to the mobile devices.

So the device should be able to authenticate with this certificate against the NPS server (EAP-TLS ?)

 

So what do i have to configure at the NPS side (i guess enable "Microsoft: Smartcard- or other certificate").

 

But what would i configure in Meraki MDM to push out this profile then ?

T1
Building a reputation

I can vouch for EAP-TLS implementation as mentioned above although since you already have a WPA2-Enterprise network, what does it authenticate against? A Radius server or AD?

MFuchs
Here to help

We're authenticating against RADIUS (NPS)
jared_f
Kind of a big deal

I am also interested in this topic. Every user just authenticates and accepts the AD certificate. I could never get this automated. Following.

Find this helpful? Click the kudos button. Thanks!
MikeMandalorian
A model citizen

So i have about 120 Ipads in the field ,, they are used in Schools, now mind you i do not  work the the school system , but i had to contact them for access to the schools wifi ,  Obviously i use Meraki Sm  but the school use Aruba for their AP's

they had to give me a Certificate which i added to a profile and then i also setup a WIFI config with in that same profile , they also provided a username and pw which is pushed out to all of the Ipads ,, ive also done the same this to our chromebooks but that is done only through the Google Admin Console 

 

On other Ipads not in schools i have Multiple Wifi profiles for other staff  ipads , to connect with out having  to worry about SSID and pw,, it either autoconnects or they just select which one and push on the ssid ID and it connects 

 

i know this doesn't directly answer your question , but it is possible to push wifi profiles out 

 

jared_f
Kind of a big deal

Apple Configurator 2 worked best for me, then I just uploaded and distributed. Make sure you include the certificate and Wi-Fi in the same profile so they get installed at the same time.

Find this helpful? Click the kudos button. Thanks!

sounds good...

but then i need to have a mac for the profile manager to be installed, correct ?

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels