Meraki

The_Roo

I have an Azure tenant, in which I want to create a root CA and an issuing CA. I want to use the CAs as a source for Intune to issue certificates to client devices so that the clients can autheticate throuugh Meraki APs (916x). I know Meraki pretty well, I can create CAs (root and Issuing) in Azure/Intune, but I'm unclear hpw, having deployed the CAs, how I use Intune to load the certificates from the CAs to the clients or how I use the certificates to support .1x (EAP/TLS) client authentication.

Are there any good written or video descriptions of the process that I can refer to?

Thanks

PhilipDAth

You create a client configuration policy in Intune to deploy your root CA certificate:

And then your intermediate certificate:

And then SCEP policies to deploy certificates. You can deploy computer, user or bth computer and user.

For User:

For computer:

And then, adding to @GIdenJoe's answer, you can also simply do certificate authentication on the APs. No RADIUS or Access Manager required.

https://documentation.meraki.com/MR/Encryption_and_Authentication/Meraki_Local_Authentication_-_MR_8...

This is an example I have setup to demo.

View solution in original post

GIdenJoe

For your use case you have two options:
- You use the brand spanking new Access Manager feature which is in beta right now but can be tested for free which has native Entra ID idp integration where you can use your identity certificates for EAP-TLS authentication and dashboard will do an Entra ID user lookup to find out group memberships en some optional SAML attributes for use in authorization. https://documentation.meraki.com/Access_Manager

- Option 2: you use your own radius solution (NPS, Radius as a service or other third party solutions) and couple them to your Entra ID tenant.

Mloraditch

An example document for ISE and Entra: https://community.cisco.com/t5/security-knowledge-base/cisco-ise-with-microsoft-active-directory-ent...

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.

PhilipDAth

You create a client configuration policy in Intune to deploy your root CA certificate:

And then your intermediate certificate:

And then SCEP policies to deploy certificates. You can deploy computer, user or bth computer and user.

For User:

For computer:

And then, adding to @GIdenJoe's answer, you can also simply do certificate authentication on the APs. No RADIUS or Access Manager required.

https://documentation.meraki.com/MR/Encryption_and_Authentication/Meraki_Local_Authentication_-_MR_8...

This is an example I have setup to demo.

The_Roo

I'm going to accept Philip's reply as an answer, but for other readers of this thread, there is also some interesting information at https://community.meraki.com/t5/Wireless/Configuring-Cisco-Meraki-Wi-Fi-SSID-Authentication-Using-In... and https://community.meraki.com/t5/Wireless/Azure-Cloud-PKI-is-now-released-how-do-we-hook-Meraki-AP-to...

CloudStrife

@PhilipDAth Thank you so much, this really helps in clearing up the confusion.

klace17

Hello Philip,

I am also interested in setting this up, not having to use Access Manager would be great for my company. I was wondering which certificate would you upload to Meraki to use this configuration, the Root or Issuing? And for this particular example (Certificate Authentication on, Password Authentication off), when users try to connect to the network will they be prompted for username/password authentication, or would that only be if Password Authentication is turned on? Thank you!

PhilipDAth

I uploaded both in a chain.

>when users try to connect to the network will they be prompted for username/password authentication

That depends on how you configure their machines. If you configure the SSID for EAP-TLS, and say to prefer certificates from your CA, their will be no prompts.

Meraki

Community

Intune CAs, PKI and Meraki client authentication

Intune CAs, PKI and Meraki client authentication