I am trying to improve my understanding of System Manager and System Manager Sentry when used for Wireless Authentication.
As I understand it, a corporate WLAN can be protected by dot1x and EAP/TLS by setting the WLAN's SSID to "802.1X with Meraki RADIUS" and any device that subsequently attempts to associate with the SSID will be authenticated by System Manager Sentry using mutual exchange of certificates. If there are no appropriate certificates on the device, the association will be blocked. If the device has the correct certificates, the authentication is transparent to the device user and association occurs. That seems straightforward, if I’ve understood it right.
I also understand that, to deliver certificates to client devices, and prepare them to access the corporate WLAN I can create an "onboarding" WLAN (open security and only Internet access) by setting the Sign-On Method on the SSID to "System Manager Sentry". Then, when a client device is associated with that SSID, the Meraki system will interrogate the device to find whether it has been onboarded. If it has not, System Manager will prompt the user to provide on-boarding credentials, at which time certificates will be loaded and the device will be prepared to access the corporate WLAN. Again, that seems straightforward, if I’ve understood it right.
But….there are a couple of things I can’t get clear in my head. I’m looking at a document “Configuring EAP-TLS Wireless Authentication with Systems Manager Sentry Wifi” The document mentions tag and profile creation, but I don’t understand how that works. I just can’t get my head round point 3, do I need to create tags and profiles, or does it happen automatically? Is there more to configuration than I mention in the first two paragraphs? Have I missed something critical.