I have since spoken to the customer more about this and found out they already have Intune as their MDM solution. So they are interested in using that to roll out the certificates to the corporate mobiles.
Will that still be challenging ?
The way I see it, once they have rollout the the certs to the mobile phones using Intune, Meraki would just see it in the same way as it sees the laptops today and hence authenticate using Radius 802.1x. In such a scenario, is it recommended to separate the SSIDs though for Corp mobile phones and laptops ?
Depending on how much of the infrastructure you have already got deployed, I'd set aside a couple of days to get this going. Also note with Intune, sometimes when it doesn't work, if you just wait and come back to it later, it starts working. Some things seem to take a long time in Intune to actually finish deploying internally.
Thanks Philip for this info. Customer owns the Intune so they will be pushing the certs. We own their Meraki solution so is there anything to be aware of from Meraki's perspective i.e any issues in authenticating mobile phones using certs ?
Also is it common to use the same SSID for Corp laptops and mobile phones? I am pushing for SSID re-use using group policy to enforce restrictions on mobile phones as opposed to introducing a new SSID just for the purpose of Corp phones. Thanks,
It uses RADIUS based authentication. From your perspective you don't care if it is using username/password with PEAP+MSCHAPv2, EAP-TLS, PEAP_EAP-TLS, etc, you just pass through the RADIUS request and get back an accept or deny.
It's up to the RADIUS server to decide what authentication methods to allow and who to give access to.
>Also is it common to use the same SSID for Corp laptops and mobile phones?
I often use a separate SSID, but I often use different authentication methods per SSID, along with Microsoft NPS, which limits your options a lot.
But as long as the RADIUS server can accept all the methods you want to use, and reply with a group policy to assign then you can certainly use a single SSID.