Enabling Cert-based Authentication for Mobile Phones

Getting noticed

Enabling Cert-based Authentication for Mobile Phones


My customer is using Radius auth for their Corporate SSID which authenticates the company issued laptops based on Cert.

They want to extend this authentication mechanism to Corporate-issued mobile phones too such that corporate issued mobile phones are authenticated seamlessly in the similar fashion through cert.

My question is has anyone done this before and were there any challenges faced?

Is it as straight-forward as it looks ?




7 Replies 7
Kind of a big deal
Kind of a big deal

It's a bit of a pig.


If the scale is low, you can create a certificate per device, email it to the user, and the user can install it on their device from there.


If the scale is large, you'll need to use an MDM.

You could use Meraki Systems manager and a separate SSID for the devices.  It can automate certificate deployment and authentication.



Otherwise, you'll need to set up something like Intune, and use NDES against Microsoft CA.  It's a pig to setup.

I have since spoken to the customer more about this and found out they already have Intune as their MDM solution. So they are interested in using that to roll out the certificates to the corporate mobiles. 

Will that still be challenging ?

The way I see it, once they have rollout the the certs to the mobile phones using Intune, Meraki would just see it in the same way as it sees the laptops today and hence authenticate using Radius 802.1x. In such a scenario, is it recommended to separate the SSIDs though for Corp mobile phones and laptops ?

Kind of a big deal
Kind of a big deal

>Will that still be challenging ?


Yes, it's a pig.


You need to configure NDES (also known as SCEP).



This guide talks about configuring Intune to use NDES to deploy certificates.



Depending on how much of the infrastructure you have already got deployed, I'd set aside a couple of days to get this going.  Also note with Intune, sometimes when it doesn't work, if you just wait and come back to it later, it starts working.  Some things seem to take a long time in Intune to actually finish deploying internally.

Thanks Philip for this info. Customer owns the Intune so they will be pushing the certs.
We own their Meraki solution so is there anything to be aware of from Meraki's perspective i.e any issues in authenticating mobile phones using certs ?

Also is it common to use the same SSID for Corp laptops and mobile phones? I am pushing for SSID re-use using group policy to enforce restrictions on mobile phones as opposed to introducing a new SSID just for the purpose of Corp phones. 


Kind of a big deal
Kind of a big deal

It uses RADIUS based authentication.  From your perspective you don't care if it is using username/password with PEAP+MSCHAPv2, EAP-TLS, PEAP_EAP-TLS, etc, you just pass through the RADIUS request and get back an accept or deny.

It's up to the RADIUS server to decide what authentication methods to allow and who to give access to.


>Also is it common to use the same SSID for Corp laptops and mobile phones? 


I often use a separate SSID, but I often use different authentication methods per SSID, along with Microsoft NPS, which limits your options a lot.

But as long as the RADIUS server can accept all the methods you want to use, and reply with a group policy to assign then you can certainly use a single SSID.

Kind of a big deal

If you don’t want to go full MDM, and you’re happy for your users to do some self-enrolment then you can look at using Meraki Trusted Access, https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Trusted_Access_for_Se....


It still requires a systems manager license per device, but might not put such a heavy burden as managing the full MDM.

Kind of a big deal
Kind of a big deal

Just note that you can't use Trusted Access for Windows computers.  But a great idea @Bruce .

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.