Meraki

Community

What should be listed in the Meraki SM WiFi Profile Trust tab?

RHealea
Conversationalist
‎Mar 6 2023 11:53 AM
‎Mar 6 2023 11:53 AM

What should be listed in the Meraki SM WiFi Profile Trust tab?

Howdy Everybody!

 

I've been managing our Meraki SM MDM for a number of years and it's always worked. I inherited the job. We have a wildcard cert that gets updated every year in the WiFi profile.

 

However, our network folks recently added a *.meraki.com cert to the ISE server and it knocked all the managed iPads off the WiFi. They disabled it and every worked, again. So, we have been investigating and I'm trying to learn more about Meraki MDM settings for WiFi.

 

In the WiFI profile...

 

Configuration: Manual

Proxy: None

Hotspot: None

Security: WPA2 Enterprise

 

Enterprise Settings:

-Protocols: PEAP

-Authentication: User/Pass - Set; ID Cert - None

-Trust: This is where I have questions.

 

The last time I was in here there was no Trusted Certificates checkbox. Now, there is (for our own wildcard cert) and it's not checked. Everything seems to work the same whether that's checked or not. So, what's the point? If I remove our cert from the profile that checkbox vanishes, so I know where it's coming from. That checkbox seems redundant. Our cert is already in the profile. I really don't think Meraki would put in redundant options. So, what's it for?

 

Also, what should I be putting in the list of Trusted Server Certificate Names? I tried adding the *.meraki.com to this list, but no help. I have our wildcard cert's name added to this list, but I don't know if it's actually needed or not. I wouldn't think so, since the cert is in the profile. 

 

Thank you for any help or advice you can offer!!!

 

Rob H.  🙂

Labels:
0 Kudos
2 Replies 2
kless
Here to help
‎Mar 7 2023 1:03 AM
‎Mar 7 2023 1:03 AM

Under Trusted Server Certificate Names you would need to put a

list of server certificates that would be accepted if presented by your ISE server. You can use wildcard for the domain parts. For example if you set *.acme.com, and when connecting to WiFi your phone receives a certificate myiseserver.acme.com from your RADIUS server, your connection would be accepted. You can find details in the iOS EAP profile https://developer.apple.com/documentation/devicemanagement/wifi/eapclientconfiguration . 

RHealea
Conversationalist
‎Mar 7 2023 3:33 PM
‎Mar 7 2023 3:33 PM

@kless Thank you for the information and that link. 

 

This is the page of instructions that my network guys said they followed to add the *.meraki.com cert to our ISE servers.

https://community.cisco.com/t5/security-knowledge-base/integrating-cisco-identity-services-engine-wi...

 

No where in there do I see it wanting to have that cert added to the list of Trusted Server Certificate Names. But, when that cert was enabled, all managed iPads were no longer allowed to connect to our WiFi after they checked in with Meraki SM and got an updated Certificate List. Once that new cert was disabled, and the iPads were connected to a different WiFi, they checked in, updated their Certificate List, again, and then were allowed to connect to our WiFi. I have no idea what happened.

 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.