Configure Cisco Meraki to Interoperate with Okta via RADIUS using EAP-TTLS

Configuring Cisco Meraki to use the Okta RADIUS Agent requires pre-configuration of the RADIUS agent.

1. Contact support and download the Okta RADIUS Agent.
   Please ensure you are using RADIUS Agent v2.9.5 or later.
   See Okta RADIUS Server Agent Version History for complete release history.
2. Install the agent using the instructions in Install and configure the Okta RADIUS Server agent.
   The service account used during installation must be granted at least one of the admin roles:
   Super admin or App admin.
   
   

   Note

   Only the Super admin and App admin roles have access to the EAP-TTLS certificate and private key.

3. For throughput, availability and other considerations, see Okta RADIUS Server Agent Deployment Best Practices
4. After installing the Okta RADIUS Agent ensure that you have met these minimum requirements for network connectivity.
   

   Source	Destination	Port/Protocol	Description
   Okta RADIUS Agent	Okta Identity Cloud	TCP/ 443 HTTPS	Configuration and authentication traffic
   Cisco Meraki	Okta RADIUS Agent	UDP/ 1812 RADIUS (actual port number defined in next step)	RADIUS traffic between the AP (client) and the RADIUS Agent (server)

In this step, add the Cisco Meraki Wireless LAN (RADIUS) app from the OIN and apply settings specific to your deployment. In this section we will configure the following:

• Authentication configuration
• UDP Port
• Secret Key
• Application Username Format

Note

Duo, U2F Security, and Windows Hello MFA Factors are not compatible with RADIUS-enabled implementations.
For additional information about the Radius apps refer to RADIUS applications in Okta.

There are optional advanced radius configuration options that are listed at the end of this page to help with Reporting the Client IP and Sending Groups information to the access point.

1. Login to your Okta tenant as Admin.
2. Navigate to Applications > Applications > Add Application.
3. Search for Cisco Meraki Wireless LAN (RADIUS), then click Add Application.
   

4. Enter a unique name.

5. Enter the following Sign On values:
   

   Field	Value
   Authentication	Retaining this default checkbox
   UDP Port	Required. Each RADIUS app has a unique number.
   Secret Key	Required: This key must be identical to what is configured in the Meraki Admin Console.
   Application username format	This determines how the RADIUS client sends in the username. Select Okta username format from the drop-down menu

   Which should resemble:
   
6. To enable EAP-TTLS:
   1. Scroll to the Authentication Protocol section and click Use EAP-TTLS authentication.
   2. Upload the server certificate chain and private key.
   3. Enter the password used to protect the certificate and key.
      Note: Okta recommends password protecting certificates and keys.
   4. Select the TLS version.
   5. Click Save.
      
7. After completing setup, assign the app to the users/groups that require access.
   For additional information, including guidance on advanced authentication and adaptive multifactor configuration options, see RADIUS applications in Okta.

In this section we configure access control using the Meraki Admin Console.

Important

The following steps are only valid when configuring an EAP-TTLS enabled RADIUS agent.

• If plain PAP authentication is used, use the splash screen option in Meraki to authenticate.
  If the RADIUS app is not configured for EAP-TTLS, the steps for configuring Meraki are different. Instead select sign-on with my RADIUS server.
  

1. Sign in to the Meraki console using an account with sufficient privileges.
2. Navigate to Wireless > Configure > Access Control.
3. Configure the following settings:
   
   • Select the SSID to setup for 802.1X EAP-TTLS authentication with Okta.
   • Check WPA2-Enterprise and select my RADIUS server.
   • Splash page check: None
4. Enter RADIUS agent details:
   • RADIUS servers, enter the IP address of Okta RADIUS Agent under Host.
   • Port number and Secret are the same as the application setup in your Cisco Meraki Wireless LAN (RADIUS) app.
     
   
   

The instructions to configure the wireless client vary depending on the device being configured. Choose an appropriate wireless client from the list below.

Configure Apple macOS device

1. Download Apple Configurator 2 from the App Store on your Mac.
   
2. In the Apple Configurator 2 app, choose File > New Profile.
   Enter a display name and unique identifier:
   
3. Add your root certificate to the Certificates tab:
   
4. In the Wi-Fi tab, enter values appropriate for your environment.
   For example:
   
5. In the Trust, choose to trust the root certificate you previously added:
   
6. Select File > Save and save the file with a .mobileconfig extension. You might receive the error message shown below. Ignore the message and select Save Anyway.
   
   
7. Add the 802.1X Wifi user profile to your system.
   1. Select Profiles from System Preferences
   2. Choose the + sign to add the Wifi Profile you selected previously

8. Connect to your network using the Network panel in System Preferences.

On successful login, within the Meraki events log, you would see events resembling:

 

Caution

When an AD or Okta password is updated, the user does not get prompted by OSX to update the password for WiFi connection.
Rather OSx continues to try to connect using the old password which could result in an account lockout.

Configure Apple iOS device

1. Download Apple Configurator 2 from the App Store on your Mac device and open it.
   
2. Choose File > New Profile.
   Then enter a display name and unique identifier for the profile:
   
3. Add your root certificate to the Certificates tab:
   
4. Under the Wi-Fifi tab, enter values appropriate for your environment. Sample values are provided below:
   
5. In the Trust tab within the Wi-Fi section, choose to trust the root certificate you previously added:
   
6. Choose File > Save to save the file with a .mobileconfig extension.
   Ignore any errors:
   
7. Next, connect your iOS device with a USB cable.
   It will appear in the "All Devices" view in Apple Configurator 2:
   
8. Right click on your device and choose the option to add a profile. In the file choosing dialog that appears, select the profile you previously created and follow the prompts on your laptop and mobile device:
   
   
   
   

9. Lastly, connect to the Wifi just configured

Configure Android Device

1. Install EAP-TTLS root certificate
   1. Copy the certificate onto your Android device using a USB connected to your laptop or other means.
   2. On the device, navigate to Settings > Security & location > Advanced > Encryption & credentials.
   3. Under 'Credential Storage', tap the option to Install from device storage.
   4. Navigate to the location of the saved certificate.
   5. Tap the file.
   6. Type a name for the certificate and choose Wi-Fi
   7. Tap OK.
2. Open your Wi-Fi settings and click on the SSID you want to connect to. If it's not visible, choose the option to Add network and enter your network SSID name and set the Security type to "802.1x EAP".
3. Set the following options:
   

   Field	Value
   EAP Methods	TTLS
   CA certification	Choose the just installed certificate
   Identity	Your Okta username
   Password	Your Okta password/MFA
   Advanced	Under advanced set the following: Phase 2 authentication PAP: Anonymous identity: This value is the user's unencrypted identity outside the TLS tunnel. Since the RADIUS agent does not use this currently, you can enter any random value.

   
   When complete the configuration should resemble:
   

The device should now be able to connect to the Wi-Fi network.

Windows 10

1. Navigate to the Network and Sharing Center and choose to Set up a new connection or network and then click Next.
   
2. Choose Manually connect to a wireless network, then click Next.
   
3. Enter the name of the SSID for your wireless network.
   Choose WPA2-Enterprise for the security type.
   Then click Next.
   
4. Click Change connection settings.
   
5. Select the Security tab and change the network authentication method to Microsoft: EAP-TTLS and then click on Settings.
   
6. In the TTLS Properties page select the following settings:
   

   Setting	Value
   Enable identity provacy	anonymous
   Trusted Root Certification Authorities	Check AddTrust External CA Root
   Within Client authentication	Check Select a non-EAP method for authentication with value Unencrypted password(PAP)

   
   Which should resemble:
   
7. Navigate back to the Network Properties and click Advanced settings.
   
8. In Advanced settings, check Specify authentication mode with valueUser authentication Then click Save credentials.
9. Connect to your RADIUS enabled SSID.

• The Error(s) below show when one of:
  
  • The CA certificate was not added on the client machine
  • The wrong CA certificate was added on the client machine
  • An incorrect Wi-Fi network is used

  

  
  
• To set the log level in the RADIUS agent:
  1. Using a text editor, open the log4j.properties file from the installation folder
     C:\Program Files (x86)\Okta\Okta RADIUS Agent\current\user\config\radius\
  2. Change the last instance of “info” to
     debug (verbose) or trace (very verbose).
     The update should resemble:
     log4j.rootLogger=debug, app, stdout
     or
     log4j.rootLogger=trace, app, stdout
  3. Save the change and close the editor.
     
• To examine logs or capture packets:
  • On Mac, to display log information during connection attempts:
    Upen a command prompt and execute the command:
    log show --predicate 'subsystem == "com.apple.eapol"'
    Attempt to connect to the WiFi access point.
    Examine the log which will product results similar to:
    2019-04-10 15:38:53.868667-0400 0x1caacd Default 0x0 17296 0 eapolclient: [com.apple.eapol:Client] en0 START uid 501 gid 20
2019-04-10 15:38:54.062713-0400 0x1caacd Default 0x0 17296 0 eapolclient: [com.apple.eapol:Client] en0: 802.1X User Mode
2019-04-10 15:39:02.510875-0400 0x1caacd Default 0x0 17296 0 eapolclient: [com.apple.eapol:Client] en0 EAP-TTLS: successfully authenticated
2019-04-10 15:39:11.117972-0400 0x1caacd Default 0x0 17296 0 eapolclient: [com.apple.eapol:Client] en0 STOP
    
  • On Meraki cloud admin dashboard, navigate to Network-wide , and select either Packet capture or Event Log, as shown below.

    

• Interpreting Wireshark captures
  At a high level, there are three stages in the communication between the supplicant/AP and the RADIUS server when an authentication takes place:
  
  • exchange of EAP-Identity and EAP-Start messages
  • TLS Handshake, starting with a ClientHello
  • RADIUS Access-Accept, followed by a 4-way EAPoL handshake between the AP and supplicant