Configure Cisco Meraki supported clients

Cisco Meraki supports multiple wireless clients, including MS Windows and Apple OSX clients. This guide describes configuring wireless client by supported device.

Topics

Before you begin

  • Ensure that you have the common UDP port and secret key values available.

Configure Apple macOS device

  1. Download Apple Configurator 2 from the App Store on your Mac.
  2. In the Apple Configurator 2 app, choose File > New Profile.
    Enter a display name and unique identifier:
  3. Add your root certificate to the Certificates tab:
  4. In the Wi-Fi tab, enter values appropriate for your environment.
    For example:
  5. In the Trust, choose to trust the root certificate you previously added:
  6. Select File > Save and save the file with a .mobileconfig extension. You might receive the error message shown below. Ignore the message and select Save Anyway.

  7. Add the 802.1X Wifi user profile to your system.
    1. Select Profiles from System Preferences
    2. Choose the + sign to add the Wifi Profile you selected previously
  8. Connect to your network using the Network panel in System Preferences.

On successful login, within the Meraki events log, you would see events resembling:

 

Caution

Caution

When an AD or Okta password is updated, the user does not get prompted by OSX to update the password for WiFi connection.
Rather OSx continues to try to connect using the old password which could result in an account lockout.

Configure Apple iOS device

  1. Download Apple Configurator 2 from the App Store on your Mac device and open it.
  2. Choose File > New Profile.
    Then enter a display name and unique identifier for the profile:
  3. Add your root certificate to the Certificates tab:
  4. Under the Wi-Fifi tab, enter values appropriate for your environment. Sample values are provided below:
  5. In the Trust tab within the Wi-Fi section, choose to trust the root certificate you previously added:
  6. Choose File > Save to save the file with a .mobileconfig extension.
    Ignore any errors:
  7. Next, connect your iOS device with a USB cable.
    It will appear in the "All Devices" view in Apple Configurator 2:
  8. Right click on your device and choose the option to add a profile. In the file choosing dialog that appears, select the profile you previously created and follow the prompts on your laptop and mobile device:



  9. Lastly, connect to the Wifi just configured

Configure Android device

  1. Install EAP-TTLS root certificate
    1. Copy the certificate onto your Android device using a USB connected to your laptop or other means.
    2. On the device, navigate to Settings > Security & location > Advanced > Encryption & credentials.
    3. Under 'Credential Storage', tap the option to Install from device storage.
    4. Navigate to the location of the saved certificate.
    5. Tap the file.
    6. Type a name for the certificate and choose Wi-Fi
    7. Tap OK.
  2. Open your Wi-Fi settings and click on the SSID you want to connect to. If it's not visible, choose the option to Add network and enter your network SSID name and set the Security type to "802.1x EAP".
  3. Set the following options:
    FieldValue
    EAP MethodsTTLS
    CA certificationChoose the just installed certificate
    IdentityYour Okta username
    PasswordYour Okta password/MFA

    Advanced

    Under advanced set the following:

    • Phase 2 authentication PAP:
    • Anonymous identity: This value is the user's unencrypted identity outside the TLS tunnel. Since the RADIUS agent does not use this currently, you can enter any random value.

    When complete the configuration should resemble:

The device should now be able to connect to the Wi-Fi network.

Windows 10 device

  1. Navigate to the Network and Sharing Center and choose to Set up a new connection or network and then click Next.
  2. Choose Manually connect to a wireless network, then click Next.
  3. Enter the name of the SSID for your wireless network.
    Choose WPA2-Enterprise for the security type.
    Then click Next.
  4. Click Change connection settings.
  5. Select the Security tab and change the network authentication method to Microsoft: EAP-TTLS and then click on Settings.
  6. In the TTLS Properties page select the following settings:
    SettingValue
    Enable identity provacyanonymous
    Trusted Root Certification AuthoritiesCheck AddTrust External CA Root
    Within Client authenticationCheck Select a non-EAP method for authentication with value Unencrypted password(PAP)

    Which should resemble:
  7. Navigate back to the Network Properties and click Advanced settings.
  8. In Advanced settings, check Specify authentication mode with valueUser authentication Then click Save credentials.
  9. Connect to your RADIUS enabled SSID.