EAP/TLS and Meraki (Wi-Fi 6)

The_Roo
Getting noticed

EAP/TLS and Meraki (Wi-Fi 6)

I’m trying to use Meraki's inbuilt ability to use EAP/TLS authentication. I’m also using MR57 APs, which have Wi_fi 6 capability and will use WPA3 encryption.

 

I’ve been looking at the document https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Configuring_EAP-TLS_W...  (and lots of others, thanks Dr Google!) and understand I must create a secure SSID (sl-corp) and an on-boarding SSID (sl-corp-on-boarding).

I also understand that I must set the access control for sl-corp to Meraki Cloud Authentication and select Systems Manager Sentry WiFi:

The_Roo_0-1690393740534.png

 

All good so far: From the above, I believe that devices attempting to authenticate to the SSID will only be successful after a mutual exchange of certificates with the Meraki system. But its the backend part of this I'm missing: how lo get certificates on the client devices and get them to recognise the certificates from ther network.

 

The document goes on to say:

 

3.Select the device tags to be associated with EAP-TLS. This automatically creates a Systems Manager profile for the SL-corp SSID to use EAP-TLS and installs a client certificate from the Dashboard for each client (this profile will appear under Systems Manager > Manage > Settings). Note that wireless authentication settings should be provisioned from either the SSID side, as described in this article, or the MDM profile side in Systems Manager > Manage > Settings and not both.

The_Roo_1-1690393740536.png

 

My questions are

“where do the device tags come from?” What is described above seems reasonable: Systems Manager will look for a pre-selected tag on a device and when it finds the authenticating device has the right tag, it will authenticate that device with EAP/TLS. Is there a single good document that shows how to set up Systems Manager and make it work in some detail?

 

There is an "sl-corp-on-boarding" SSID mentioned but I can'see how it should be built or how it should be used?

 

I want to use Wi-Fi 6, so the WPA Encryption mode will be forced to WPA3. Are there any considerations or will that just work?

 

Probably some newbie questions here guys, I’ve done .1x /EAP/TLS with ISE, and I know what I want to do with the Meraki, its just I don’t know how to do it!

 

Thaks for any help

Roo

5 Replies 5
KarstenI
Kind of a big deal
Kind of a big deal

WPA3 is only needed if you want to use the 6GHz band. If you use your MR57 with Dual 5GH (I use ours that way but that could change with the next iPhone) you can still stay on WPA2 Enterprise.

 

The Tags are assigned in the Systems manager. When a managed device is assigned the Tag you used in your Sentry config, a WLAN-Profile and Certificate is provisioned to the device.

The onboarding SSID is only used to get to the internet. This is the connection on which SM sends the certificate to the client.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
The_Roo
Getting noticed

Hi Karsteni

Thanks for the comments. You wrote "The Tags are assigned in the Systems manager.", but I'm still unclear : by whom? I assume "by me" during configuration, and if so, how? I'm just not clear on the process of onboarding a device. It appears I have a secure corporate WLAN/SSID that will only allow devices with the right certificate onboard (and which must recognise the certificate offered by the network) to associate with it, but I'm unsure how the certificate gets on the device, and where Systems Manager fits in to this. I think I've got to configure a new network, of type EMM (Organization > Configure > Create network ). I've read that though I have multiple sites/networks that I only need one EMM, and that will manage authentication for devices whatever site they are at, but its the nuts-and-bolts of the process creating the EMM and onboarding the devices I've not understood. The answer is probably there in Meraki documentation, if I could just find it:  I keep getting little parts from many different places but never the whole picture.

 

Thanks

Roo

 

Thanks for any help you can give

KarstenI
Kind of a big deal
Kind of a big deal

With multiple networks, I also would add a new SM network on the dashboard. There you enroll the devices that need to use the new SSID. For this enrollment, you need a connection to the internet, This could be done with the registration SSID, a wired connection, or even mobile data.

The registration process is described quite well in the dashboard.

You know you need an SM license for every device enrolled?

After that you create a new Tag in SM, use this Tag in the Sentry-Config and apply the Tag to the devices (also in the SM config). The enrolment can also be done as a self-service by the users.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
The_Roo
Getting noticed

OK, I'm beginning to get this: I have a corporate SSID that will only allow enrolled devices on. because enrolled devices will have a certificate from Meraki loaded. Is it that simple?  Then there is the enrollment process. I have been doing some looking around and I see that if I make an unenrolled device go to https://enroll.meraki.com/xxx-xxx-xxxx

where the xxx number is one I get when I'm setting up my EMM network. I can take the device through through the enrollment process (possibly through an enrollment SSID) to positively identify it as authorised, at which point it will get the certificate loaded onto it. This enrollment process will use up an SM Licence. But...can you tell me if that is the process, or where I've gone wrong, and a bit more about tokens, I'm not sure about them at all 😞

 

Thanks

Roo

KarstenI
Kind of a big deal
Kind of a big deal

This is exactly how it can be done (although there are multiple ways).

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels